From niko at n-k.de  Tue Nov  1 03:35:54 2016
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 1 Nov 2016 08:35:54 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
 configuration
In-Reply-To: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
Message-ID: <595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>

Hi,

I just tested and investigated a bit more?

When saving a UserStorageProvider, the ?priority? value is sent within the config object:
{
  "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
  "name": "my-user-storage",
  "providerId": "my-user-storage",
  "providerType": "org.keycloak.storage.UserStorageProvider",
  "parentId": "demo",
  "config": {
    "baseUrl": [
      "http://localhost:9000"
    ],
    "basicAuthUsername": [
      "admin"
    ],
    "basicAuthPassword": [
      "secret"
    ],
    "priority": {
      "0": "1"
    }
  }
}

In contrast to a UserFederationProvider, where the ?priority? value is sent as part of the root object, not in the nested config object.

When adding a ?priority? config property in my UserStorageProvider, it works, but it looks strange in the Admin console, as there are now 2 priority fields? but it works.

Additionally, this error with the priority value leads to some JS error messages in the browser console when working with the Admin console. These are also gone when using an own ?priority? config property.

I?d appreciate any feedback on this, if this is an error or whatever?
Thanks!

Regards,
- Niko



> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
> 
> Hi,
> 
> I just implemented the User Storage SPI as replacement for our User Federation SPI.
> 
> Creating the User-Storage Provider works w/o errors, but not Priority value will be saved.
> When updating the Provider with a value for Priority, it will fail with an exception (see below), updating the Provider without setting a value for Priority works.
> 
> Do I have to implement/configure something special to get it work?
> I based my implementation on the user-storage-jpa-example, provided with Keycloak.
> Or is it a general error? Should a create a Jira issue for it?
> 
> 
> The exception/stack trace:
> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token
> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>       	at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>       	at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>       	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
>       	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>       	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>       	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>       	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>       	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>       	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>       	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>       	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>       	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>       	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>       	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>       	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>       	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>       	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>       	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>       	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>       	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>       	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>       	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>       	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>       	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>       	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>       	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>       	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>       	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>       	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>       	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>       	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>       	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>       	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>       	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>       	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>       	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>       	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>       	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>       	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>       	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>       	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>       	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>       	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>       	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>       	at java.lang.Thread.run(Thread.java:745)
> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token
> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>       	at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
>       	at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
>       	at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
>       	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
>       	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
>       	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
>       	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
>       	at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
>       	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>       	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>       	at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>       	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>       	at com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
>       	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>       	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>       	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
>       	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
>       	at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
>       	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
>       	at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
>       	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
>       	at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
>       	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>       	at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
>       	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>       	at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>       	... 48 more
> 
> 
> Regards,
> - Niko
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From michael_furman at hotmail.com  Tue Nov  1 04:11:54 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Tue, 1 Nov 2016 08:11:54 +0000
Subject: [keycloak-user] List of supported cryptographic algorithms
Message-ID: <AM5PR0701MB2530FCCDC00086F1DA6B146FF4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi all,
Where can I find list of supported algorithms used here:
http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
What is the list of hash algorithms?
What is the list of encryption algorithms?
Thank you in advance for your help.
Best regards,
   Michael

From guus.der.kinderen at gmail.com  Tue Nov  1 04:41:28 2016
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Tue, 1 Nov 2016 09:41:28 +0100
Subject: [keycloak-user] Using a role to allow access to a resource
Message-ID: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>

Hi,

While trying to authenticate a user to obtain a resource, I'm running into
an issue. It's likely caused by my misunderstanding of how things are
supposed to work, rather than some kind of bug. I'd love to be corrected.

Using Keycloak 1.9.2, I've created a realm with two clients. One client is
using the Javascript adapter[1] to create a very simply UI, that lets the
user authenticate. The resulting access token is used to make a request to
a REST-like service, which employs the Java Servlet Filter Adapter[2].

We're planning to have multiple resource services like this, each exposing
data for which different levels of authorization might be required.

I'd like our REST-like service to provide data only when the user that
requests the data has an access token that is issued to a front-end that is
allowed to access this data. To achieve this, I tried employing the use of
a role. I think this is where I'm messing up somehow.

What I did:

In the realm, I've a added a "realm role" ( "scope param required" /
"composite roles" both disabled)

In the client configuration that's used by the Javascript UI (which
generates the access token), I've made these changes to the "scope" tab:

   - Disabled "Full Scope Allowed"
   - Moved the role that I added earlier from "available roles" to
   "assigned roles"

Finally, I've modified the implementation of the REST-like service to check
for the new role, by doing something like this simplified code in a servlet
(that's covered by the OIDC Filter):

KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
request.getAttribute( KeycloakSecurityContext.class.getName() );
if ( !securityContext.getToken().getRealmAccess().isUserInRole(
"the-role-that-I-added" ) )
{
    response.setStatus( HttpServletResponse.SC_FORBIDDEN );
    return;
}

This throws a NullPointerException, as getRealmAccess() returns null.

While debugging the code, it's appears that the access token itself is
received and valid - it's the scope / role check that does not appear to
come through.

I finally used the service at https://jwt.io/ to inspect the content of the
access token that's being generated. I expected the 'the-role-that-I-added"
value to be in there somewhere, but that's not the case.

That's where I thought it'd be a good idea to get some advice, and here we
are. I'd love some feedback.

Regards,

  Guus

[1]:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/javascript-adapter.html
[2]:
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/servlet-filter-adapter.html

From robert.discussions at gmail.com  Tue Nov  1 04:57:36 2016
From: robert.discussions at gmail.com (Robert .)
Date: Tue, 1 Nov 2016 09:57:36 +0100
Subject: [keycloak-user]  Stateless REST webservice registration
Message-ID: <CAMPYDJqvsg=+cJPf2ZyL-eeFnJFMncQZVjSTsHd2qV=mO_w8_A@mail.gmail.com>

I'm trying to expand my knowledge about Keycloak and OpenID Connect.
Is it necessary for a stateless REST webservice to be registered as a
client in Keycloak?
The token send to the REST service is signed, so the REST service could
verify the authenticity and validity of the token if it has the public key
of the keycloak server.

Why would there be any need for direct communication between the REST
service and Keycloak?

From sthorger at redhat.com  Tue Nov  1 05:06:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Nov 2016 10:06:46 +0100
Subject: [keycloak-user] Custom Required Action
In-Reply-To: <DM5PR13MB11647F2FDA78D7EFF46172B7FEAC0@DM5PR13MB1164.namprd13.prod.outlook.com>
References: <DM5PR13MB11647F2FDA78D7EFF46172B7FEAC0@DM5PR13MB1164.namprd13.prod.outlook.com>
Message-ID: <CAJgngAfCtAFhM8tBdZii2J3BidrG3X1pFDYmU04fRo-PPrBTLw@mail.gmail.com>

Only way you'd be able to do it is with a custom realm resource. Required
actions require the session to be processed.

On 11 May 2018 at 00:05, Bruno Palermo <palermo at pobox.com> wrote:

> Hi,
>
>
> I'm trying to develop a custom required action to verify the user email
> without relying on the user session and allow the confirmation link to live
> longer.
>
>
> Let's say I send the user email as query parameter on the confirmation
> link.
>
> It's possible to search the database directly using this email and avoid
> using 'RequiredActionContext getUser()'?
>
>
> Thanks,
> Bruno
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Nov  1 05:08:21 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Nov 2016 10:08:21 +0100
Subject: [keycloak-user] keycloak consuming saml
In-Reply-To: <ee6406623d1046db6f9b7c2826cd4708.squirrel@neposoft.com>
References: <ee6406623d1046db6f9b7c2826cd4708.squirrel@neposoft.com>
Message-ID: <CAJgngAf1soeD6oC31UBtOcJHRSmDaMaYf2Vb=dFqP_1YreTRcw@mail.gmail.com>

I'm not quite following. Do you have an existing portal where users
authenticate that is using SAML? If so yes you can use identity brokering
to have users authenticated via the SAML IdP and then issue OIDC tokens to
the apps.

On 30 October 2016 at 13:30, java_os <java at neposoft.com> wrote:

> Group
> Portal where users authenticted in adfs and need to add a link to my
> webapp protected by keycloak. Users click on link should trigger a saml
> post into keycloak , consume the assertion and let user in.
> Given this scenario how could i configure keycloak to receive the
> assertion and give my webapp an oidc token. Is this doable? Was looking at
> identity brokering, but this triggers request from keycloak to idp. I
> think my case is idp initiated saml post . is it possible to use id
> brokering in this case, or how does anyone solve this scenario?
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Nov  1 05:08:56 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Nov 2016 10:08:56 +0100
Subject: [keycloak-user] Creation UI for new authentication schema
	configuration.
In-Reply-To: <AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>

On the config for the authenticator. Please look at the docs and also the
example it explains this pretty well.

On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com>
wrote:

> Thanks,
>
> Where I will see the generated UI?
> On the authentication page?
> http://localhost:8080/auth/admin/master/console/#/realms/
> master/authentication/flows/browser
>
> Also, can I add / update the authenticator configuration via REST API?
>
> http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
>
> Thank you in advance for your help.
>
> Best regards,
>
>    Michael
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Monday, October 31, 2016 8:00 AM
>
> *To:* Michael Furman
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Creation UI for new authentication schema
> configuration.
>
> Configuration UI is generated based on what's returned by
> the getConfigProperties method
>
> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com>
> wrote:
>
>> Thanks Stian,
>>
>> I will happy for the additional clarifications.
>>
>> I have looked in https://keycloak.gitbooks.io/s
>> erver-developer-guide/content/topics/auth-spi.html but was not able to
>> find a lot.
>>
>> I think that the following is relevant:
>>
>>
>>
>> *The next few methods define how the Authenticator can be configured. *
>>
>> *? *
>>
>> *The getConfigProperties() method returns a list of
>> ProviderConfigProperty objects. These objects define a specific
>> configuration attribute.*
>>
>>
>>
>> But according to my understanding the configuration should appear in the
>> Authenticator configuration UI.
>>
>> Therefore, how should I create the UI?
>>
>>
>>
>> Additional question: will the new Authenticator appear in Authentication
>> Flows:
>>
>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>> ent/topics/authentication/flows.html
>>
>> Will I be able to configure Required / Optional / Disabled for the new
>> the new Authenticator?
>>
>> Thank you in advance for your help.
>>
>> Best regards,
>>
>>    Michael
>>
>>
>> ------------------------------
>> *From:* Stian Thorgersen <sthorger at redhat.com>
>> *Sent:* Thursday, October 27, 2016 9:57 AM
>> *To:* Michael Furman
>> *Cc:* keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] Creation UI for new authentication schema
>> configuration.
>>
>> We don't support that directly so you would have to develop your own
>> custom authenticator for it. The doc you linked describes how to do that.
>>
>> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com>
>> wrote:
>>
>>> Hi all,
>>> I want to add support for the new authentication schema.
>>> How can I add UI for new authentication schema configuration?
>>> For example, I want to add the TACACS authentication schema.
>>> Therefore I need to configure the TACACS server IP and the secret.
>>> May be I have missed but I can not find it here:
>>> https://keycloak.gitbooks.io/server-developer-guide/content/
>>> topics/auth-spi.html
>>>
>>> Thank you in advance for your help.
>>> Best regards,
>>>    Michael
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From sthorger at redhat.com  Tue Nov  1 05:09:59 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Nov 2016 10:09:59 +0100
Subject: [keycloak-user] Creating the UI using REST API
In-Reply-To: <AM5PR0701MB25304C8C69279955009A1189F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25304C8C69279955009A1189F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAfqVzGnwJsEgNBNDWk=Rj5LkAY++jJ==k0qrcRBf63=-A@mail.gmail.com>

UI for what?

On 31 October 2016 at 09:41, Michael Furman <michael_furman at hotmail.com>
wrote:

> Hi all,
> We need to create our own UI using REST API.
> I have authenticated a user in UI (http://localhost:8080/auth/
> admin/master/console/#/realms/master ) and then I have tried to open some
> REST API from a browser in the new tab (for example
> http://localhost:8080/auth/admin/realms/master/clients).
>
> Unfortunately I get HTTP 401 barrier error.
> I see that I need the barrier token if I access REST API from the command
> line: https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/admin-rest-api.html
>
> What UI should do to access REST API?
> Also to allocate the barrier token and then to access REST API?
> Do you have any JS lib that make the process easier?
> Thank you in advance for your help.
> Best regards,
>    Michael
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Tue Nov  1 05:13:24 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 1 Nov 2016 10:13:24 +0100
Subject: [keycloak-user] Using a role to allow access to a resource
In-Reply-To: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>
References: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>
Message-ID: <CAMZCGg-oyuRkOT8xe4bFRq99HU7JRS0oH5-D+CGMt1cZa228Sg@mail.gmail.com>

Your token will contain the roles of the user, not the roles of the client.
Does your user have the roles assigned ?

On Tue, Nov 1, 2016 at 9:41 AM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> Hi,
>
> While trying to authenticate a user to obtain a resource, I'm running into
> an issue. It's likely caused by my misunderstanding of how things are
> supposed to work, rather than some kind of bug. I'd love to be corrected.
>
> Using Keycloak 1.9.2, I've created a realm with two clients. One client is
> using the Javascript adapter[1] to create a very simply UI, that lets the
> user authenticate. The resulting access token is used to make a request to
> a REST-like service, which employs the Java Servlet Filter Adapter[2].
>
> We're planning to have multiple resource services like this, each exposing
> data for which different levels of authorization might be required.
>
> I'd like our REST-like service to provide data only when the user that
> requests the data has an access token that is issued to a front-end that is
> allowed to access this data. To achieve this, I tried employing the use of
> a role. I think this is where I'm messing up somehow.
>
> What I did:
>
> In the realm, I've a added a "realm role" ( "scope param required" /
> "composite roles" both disabled)
>
> In the client configuration that's used by the Javascript UI (which
> generates the access token), I've made these changes to the "scope" tab:
>
>    - Disabled "Full Scope Allowed"
>    - Moved the role that I added earlier from "available roles" to
>    "assigned roles"
>
> Finally, I've modified the implementation of the REST-like service to check
> for the new role, by doing something like this simplified code in a servlet
> (that's covered by the OIDC Filter):
>
> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
> request.getAttribute( KeycloakSecurityContext.class.getName() );
> if ( !securityContext.getToken().getRealmAccess().isUserInRole(
> "the-role-that-I-added" ) )
> {
>     response.setStatus( HttpServletResponse.SC_FORBIDDEN );
>     return;
> }
>
> This throws a NullPointerException, as getRealmAccess() returns null.
>
> While debugging the code, it's appears that the access token itself is
> received and valid - it's the scope / role check that does not appear to
> come through.
>
> I finally used the service at https://jwt.io/ to inspect the content of
> the
> access token that's being generated. I expected the 'the-role-that-I-added"
> value to be in there somewhere, but that's not the case.
>
> That's where I thought it'd be a good idea to get some advice, and here we
> are. I'd love some feedback.
>
> Regards,
>
>   Guus
>
> [1]:
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/topics/oidc/javascript-adapter.html
> [2]:
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/topics/oidc/java/servlet-filter-adapter.html
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Nov  1 05:14:20 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 1 Nov 2016 10:14:20 +0100
Subject: [keycloak-user] Backend to Backend Call
In-Reply-To: <DM3PR85MB0091BFF27EDCCF407E118C89BCAE0@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>
References: <DM3PR85MB0091BFF27EDCCF407E118C89BCAE0@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>
Message-ID: <CAJgngAe_OEQooRhFjpowJXe_tDKAu-Vty2yW9+1oOAVsJ9pN3Q@mail.gmail.com>

Actually this is not a use-case that we solve particularly well, but
passing the refresh token is not a great idea.

One option would be to increase the access token timeout, but that would
have side effects on all other use-cases. The best and most secure option
would be to have a one-time token that is passed to the asynchronous
service. This is not something we have support for directly though and it
would most likely not involve the IdP (Keycloak server) at all, but rather
be a signed JWT issued by the caller that can be used by the async service
for the callback.

On 31 October 2016 at 22:10, Morse, Alexander (US - Newton) <
amorse at deloitte.com> wrote:

> Hi,
>
> Want to know the recommended approach for having asynchronous backend
> services that are secured through bearer tokens call each other. We have an
> interactive web application that calls a backend service. The JavaScript
> adapter places the access token in the Authorization header. This backend
> services starts an asynchronous job that then calls another backend
> service, passing along the same Access Token. The problem arises when the
> access token has expired while the first job was processing. Seems like one
> relatively straight forward approach would be to have the front end pass a
> refresh token to the backend, which it can use to obtain a new access
> token. Are there better approaches? The adapters do not seem to natively
> support this.
>
> Thanks,
> Alex
>
>
>
>
> This message (including any attachments) contains confidential information
> intended for a specific individual and purpose, and is protected by law. If
> you are not the intended recipient, you should delete this message and any
> disclosure, copying, or distribution of this message, or the taking of any
> action based on it, by you is strictly prohibited.
>
> v.E.1
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From guus.der.kinderen at gmail.com  Tue Nov  1 05:16:39 2016
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Tue, 1 Nov 2016 10:16:39 +0100
Subject: [keycloak-user] Using a role to allow access to a resource
In-Reply-To: <CAMZCGg-oyuRkOT8xe4bFRq99HU7JRS0oH5-D+CGMt1cZa228Sg@mail.gmail.com>
References: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>
	<CAMZCGg-oyuRkOT8xe4bFRq99HU7JRS0oH5-D+CGMt1cZa228Sg@mail.gmail.com>
Message-ID: <CAMJaV9nXqca0PWWv3nOr9vFb4jASsHSLNKzmioZ5ZaVWcw8S-A@mail.gmail.com>

ah, no - users don't have any roles assigned.

Should users each have individually assigned all roles that can be used?
Can we prevent one client from obtaining an access token with a role that's
not intended to be used by that role?

On 1 November 2016 at 10:13, Sebastien Blanc <sblanc at redhat.com> wrote:

> Your token will contain the roles of the user, not the roles of the
> client. Does your user have the roles assigned ?
>
> On Tue, Nov 1, 2016 at 9:41 AM, Guus der Kinderen <
> guus.der.kinderen at gmail.com> wrote:
>
>> Hi,
>>
>> While trying to authenticate a user to obtain a resource, I'm running into
>> an issue. It's likely caused by my misunderstanding of how things are
>> supposed to work, rather than some kind of bug. I'd love to be corrected.
>>
>> Using Keycloak 1.9.2, I've created a realm with two clients. One client is
>> using the Javascript adapter[1] to create a very simply UI, that lets the
>> user authenticate. The resulting access token is used to make a request to
>> a REST-like service, which employs the Java Servlet Filter Adapter[2].
>>
>> We're planning to have multiple resource services like this, each exposing
>> data for which different levels of authorization might be required.
>>
>> I'd like our REST-like service to provide data only when the user that
>> requests the data has an access token that is issued to a front-end that
>> is
>> allowed to access this data. To achieve this, I tried employing the use of
>> a role. I think this is where I'm messing up somehow.
>>
>> What I did:
>>
>> In the realm, I've a added a "realm role" ( "scope param required" /
>> "composite roles" both disabled)
>>
>> In the client configuration that's used by the Javascript UI (which
>> generates the access token), I've made these changes to the "scope" tab:
>>
>>    - Disabled "Full Scope Allowed"
>>    - Moved the role that I added earlier from "available roles" to
>>
>>    "assigned roles"
>>
>> Finally, I've modified the implementation of the REST-like service to
>> check
>> for the new role, by doing something like this simplified code in a
>> servlet
>> (that's covered by the OIDC Filter):
>>
>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>> request.getAttribute( KeycloakSecurityContext.class.getName() );
>> if ( !securityContext.getToken().getRealmAccess().isUserInRole(
>> "the-role-that-I-added" ) )
>> {
>>     response.setStatus( HttpServletResponse.SC_FORBIDDEN );
>>     return;
>> }
>>
>> This throws a NullPointerException, as getRealmAccess() returns null.
>>
>> While debugging the code, it's appears that the access token itself is
>> received and valid - it's the scope / role check that does not appear to
>> come through.
>>
>> I finally used the service at https://jwt.io/ to inspect the content of
>> the
>> access token that's being generated. I expected the
>> 'the-role-that-I-added"
>> value to be in there somewhere, but that's not the case.
>>
>> That's where I thought it'd be a good idea to get some advice, and here we
>> are. I'd love some feedback.
>>
>> Regards,
>>
>>   Guus
>>
>> [1]:
>> https://keycloak.gitbooks.io/securing-client-applications-gu
>> ide/content/topics/oidc/javascript-adapter.html
>> [2]:
>> https://keycloak.gitbooks.io/securing-client-applications-gu
>> ide/content/topics/oidc/java/servlet-filter-adapter.html
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sblanc at redhat.com  Tue Nov  1 05:36:07 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 1 Nov 2016 10:36:07 +0100
Subject: [keycloak-user] Using a role to allow access to a resource
In-Reply-To: <CAMJaV9nXqca0PWWv3nOr9vFb4jASsHSLNKzmioZ5ZaVWcw8S-A@mail.gmail.com>
References: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>
	<CAMZCGg-oyuRkOT8xe4bFRq99HU7JRS0oH5-D+CGMt1cZa228Sg@mail.gmail.com>
	<CAMJaV9nXqca0PWWv3nOr9vFb4jASsHSLNKzmioZ5ZaVWcw8S-A@mail.gmail.com>
Message-ID: <CAMZCGg9fjXXs47agR9f+gJdCZdCuG=N2JhZ3tCVKGHzJ9+8Rsw@mail.gmail.com>

On Tue, Nov 1, 2016 at 10:16 AM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> ah, no - users don't have any roles assigned.
>
> Should users each have individually assigned all roles that can be used?
>
yes

> Can we prevent one client from obtaining an access token with a role
> that's not intended to be used by that role?
>
Wel not directly with auth, you will still be authnticated, you can just
limit the roles that will be contained in the token (by doing it the way
you did it initially with client scope). Maybe with authorization you can
achieve this.

>
> On 1 November 2016 at 10:13, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> Your token will contain the roles of the user, not the roles of the
>> client. Does your user have the roles assigned ?
>>
>> On Tue, Nov 1, 2016 at 9:41 AM, Guus der Kinderen <
>> guus.der.kinderen at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> While trying to authenticate a user to obtain a resource, I'm running
>>> into
>>> an issue. It's likely caused by my misunderstanding of how things are
>>> supposed to work, rather than some kind of bug. I'd love to be corrected.
>>>
>>> Using Keycloak 1.9.2, I've created a realm with two clients. One client
>>> is
>>> using the Javascript adapter[1] to create a very simply UI, that lets the
>>> user authenticate. The resulting access token is used to make a request
>>> to
>>> a REST-like service, which employs the Java Servlet Filter Adapter[2].
>>>
>>> We're planning to have multiple resource services like this, each
>>> exposing
>>> data for which different levels of authorization might be required.
>>>
>>> I'd like our REST-like service to provide data only when the user that
>>> requests the data has an access token that is issued to a front-end that
>>> is
>>> allowed to access this data. To achieve this, I tried employing the use
>>> of
>>> a role. I think this is where I'm messing up somehow.
>>>
>>> What I did:
>>>
>>> In the realm, I've a added a "realm role" ( "scope param required" /
>>> "composite roles" both disabled)
>>>
>>> In the client configuration that's used by the Javascript UI (which
>>> generates the access token), I've made these changes to the "scope" tab:
>>>
>>>    - Disabled "Full Scope Allowed"
>>>    - Moved the role that I added earlier from "available roles" to
>>>
>>>    "assigned roles"
>>>
>>> Finally, I've modified the implementation of the REST-like service to
>>> check
>>> for the new role, by doing something like this simplified code in a
>>> servlet
>>> (that's covered by the OIDC Filter):
>>>
>>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>>> request.getAttribute( KeycloakSecurityContext.class.getName() );
>>> if ( !securityContext.getToken().getRealmAccess().isUserInRole(
>>> "the-role-that-I-added" ) )
>>> {
>>>     response.setStatus( HttpServletResponse.SC_FORBIDDEN );
>>>     return;
>>> }
>>>
>>> This throws a NullPointerException, as getRealmAccess() returns null.
>>>
>>> While debugging the code, it's appears that the access token itself is
>>> received and valid - it's the scope / role check that does not appear to
>>> come through.
>>>
>>> I finally used the service at https://jwt.io/ to inspect the content of
>>> the
>>> access token that's being generated. I expected the
>>> 'the-role-that-I-added"
>>> value to be in there somewhere, but that's not the case.
>>>
>>> That's where I thought it'd be a good idea to get some advice, and here
>>> we
>>> are. I'd love some feedback.
>>>
>>> Regards,
>>>
>>>   Guus
>>>
>>> [1]:
>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>> ide/content/topics/oidc/javascript-adapter.html
>>> [2]:
>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>> ide/content/topics/oidc/java/servlet-filter-adapter.html
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From guus.der.kinderen at gmail.com  Tue Nov  1 05:40:49 2016
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Tue, 1 Nov 2016 10:40:49 +0100
Subject: [keycloak-user] Using a role to allow access to a resource
In-Reply-To: <CAMZCGg9fjXXs47agR9f+gJdCZdCuG=N2JhZ3tCVKGHzJ9+8Rsw@mail.gmail.com>
References: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>
	<CAMZCGg-oyuRkOT8xe4bFRq99HU7JRS0oH5-D+CGMt1cZa228Sg@mail.gmail.com>
	<CAMJaV9nXqca0PWWv3nOr9vFb4jASsHSLNKzmioZ5ZaVWcw8S-A@mail.gmail.com>
	<CAMZCGg9fjXXs47agR9f+gJdCZdCuG=N2JhZ3tCVKGHzJ9+8Rsw@mail.gmail.com>
Message-ID: <CAMJaV9kKC2wGJhksV2u-ojqd+q=BgBpjyy5Ci1oVmyJdSqte1Q@mail.gmail.com>

Okay, I'm trying to wrap my head around this - please correct me if I'm
wrong:

   - All of our users are required to get all of the roles that potentially
   are used by clients. Can we automate this (we've got many users, which
   varying life cycles)?
   - In the (keycloak-sided) configuration of clients (that authenticate
   users), we limit what roles can be included in the access token that's
   generated for that client
   - In the code of the clients (that act as resource servers), we verify
   that the required role is in place (assuming that authentication itself
   succeeded in the first place).


On 1 November 2016 at 10:36, Sebastien Blanc <sblanc at redhat.com> wrote:

>
>
> On Tue, Nov 1, 2016 at 10:16 AM, Guus der Kinderen <
> guus.der.kinderen at gmail.com> wrote:
>
>> ah, no - users don't have any roles assigned.
>>
>> Should users each have individually assigned all roles that can be used?
>>
> yes
>
>> Can we prevent one client from obtaining an access token with a role
>> that's not intended to be used by that role?
>>
> Wel not directly with auth, you will still be authnticated, you can just
> limit the roles that will be contained in the token (by doing it the way
> you did it initially with client scope). Maybe with authorization you can
> achieve this.
>
>>
>> On 1 November 2016 at 10:13, Sebastien Blanc <sblanc at redhat.com> wrote:
>>
>>> Your token will contain the roles of the user, not the roles of the
>>> client. Does your user have the roles assigned ?
>>>
>>> On Tue, Nov 1, 2016 at 9:41 AM, Guus der Kinderen <
>>> guus.der.kinderen at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> While trying to authenticate a user to obtain a resource, I'm running
>>>> into
>>>> an issue. It's likely caused by my misunderstanding of how things are
>>>> supposed to work, rather than some kind of bug. I'd love to be
>>>> corrected.
>>>>
>>>> Using Keycloak 1.9.2, I've created a realm with two clients. One client
>>>> is
>>>> using the Javascript adapter[1] to create a very simply UI, that lets
>>>> the
>>>> user authenticate. The resulting access token is used to make a request
>>>> to
>>>> a REST-like service, which employs the Java Servlet Filter Adapter[2].
>>>>
>>>> We're planning to have multiple resource services like this, each
>>>> exposing
>>>> data for which different levels of authorization might be required.
>>>>
>>>> I'd like our REST-like service to provide data only when the user that
>>>> requests the data has an access token that is issued to a front-end
>>>> that is
>>>> allowed to access this data. To achieve this, I tried employing the use
>>>> of
>>>> a role. I think this is where I'm messing up somehow.
>>>>
>>>> What I did:
>>>>
>>>> In the realm, I've a added a "realm role" ( "scope param required" /
>>>> "composite roles" both disabled)
>>>>
>>>> In the client configuration that's used by the Javascript UI (which
>>>> generates the access token), I've made these changes to the "scope" tab:
>>>>
>>>>    - Disabled "Full Scope Allowed"
>>>>    - Moved the role that I added earlier from "available roles" to
>>>>
>>>>    "assigned roles"
>>>>
>>>> Finally, I've modified the implementation of the REST-like service to
>>>> check
>>>> for the new role, by doing something like this simplified code in a
>>>> servlet
>>>> (that's covered by the OIDC Filter):
>>>>
>>>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>>>> request.getAttribute( KeycloakSecurityContext.class.getName() );
>>>> if ( !securityContext.getToken().getRealmAccess().isUserInRole(
>>>> "the-role-that-I-added" ) )
>>>> {
>>>>     response.setStatus( HttpServletResponse.SC_FORBIDDEN );
>>>>     return;
>>>> }
>>>>
>>>> This throws a NullPointerException, as getRealmAccess() returns null.
>>>>
>>>> While debugging the code, it's appears that the access token itself is
>>>> received and valid - it's the scope / role check that does not appear to
>>>> come through.
>>>>
>>>> I finally used the service at https://jwt.io/ to inspect the content
>>>> of the
>>>> access token that's being generated. I expected the
>>>> 'the-role-that-I-added"
>>>> value to be in there somewhere, but that's not the case.
>>>>
>>>> That's where I thought it'd be a good idea to get some advice, and here
>>>> we
>>>> are. I'd love some feedback.
>>>>
>>>> Regards,
>>>>
>>>>   Guus
>>>>
>>>> [1]:
>>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>>> ide/content/topics/oidc/javascript-adapter.html
>>>> [2]:
>>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>>> ide/content/topics/oidc/java/servlet-filter-adapter.html
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From michael_furman at hotmail.com  Tue Nov  1 05:50:12 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Tue, 1 Nov 2016 09:50:12 +0000
Subject: [keycloak-user] Creating the UI using REST API
In-Reply-To: <CAJgngAfqVzGnwJsEgNBNDWk=Rj5LkAY++jJ==k0qrcRBf63=-A@mail.gmail.com>
References: <AM5PR0701MB25304C8C69279955009A1189F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<CAJgngAfqVzGnwJsEgNBNDWk=Rj5LkAY++jJ==k0qrcRBf63=-A@mail.gmail.com>
Message-ID: <AM5PR0701MB25309A824957070857CC4FA7F4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>

For example UI for the user management: add user, update user, delete user.

I can find appropriate REST APIs, but I want to understand how to use it.


________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Tuesday, November 1, 2016 11:09 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creating the UI using REST API

UI for what?

On 31 October 2016 at 09:41, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
We need to create our own UI using REST API.
I have authenticated a user in UI (http://localhost:8080/auth/admin/master/console/#/realms/master ) and then I have tried to open some REST API from a browser in the new tab (for example http://localhost:8080/auth/admin/realms/master/clients).

Unfortunately I get HTTP 401 barrier error.
I see that I need the barrier token if I access REST API from the command line: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/admin-rest-api.html

What UI should do to access REST API?
Also to allocate the barrier token and then to access REST API?
Do you have any JS lib that make the process easier?
Thank you in advance for your help.
Best regards,
   Michael


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Tue Nov  1 10:17:46 2016
From: bburke at redhat.com (Bill Burke)
Date: Tue, 1 Nov 2016 10:17:46 -0400
Subject: [keycloak-user] Exception with User Storage SPI priority
 configuration
In-Reply-To: <595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
Message-ID: <5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>

Its an admin console issue.  I think I fixed it in master, but I 'll 
double check.


On 11/1/16 3:35 AM, Niko K?bler wrote:
> Hi,
>
> I just tested and investigated a bit more?
>
> When saving a UserStorageProvider, the ?priority? value is sent within the config object:
> {
>    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>    "name": "my-user-storage",
>    "providerId": "my-user-storage",
>    "providerType": "org.keycloak.storage.UserStorageProvider",
>    "parentId": "demo",
>    "config": {
>      "baseUrl": [
>        "http://localhost:9000"
>      ],
>      "basicAuthUsername": [
>        "admin"
>      ],
>      "basicAuthPassword": [
>        "secret"
>      ],
>      "priority": {
>        "0": "1"
>      }
>    }
> }
>
> In contrast to a UserFederationProvider, where the ?priority? value is sent as part of the root object, not in the nested config object.
>
> When adding a ?priority? config property in my UserStorageProvider, it works, but it looks strange in the Admin console, as there are now 2 priority fields? but it works.
>
> Additionally, this error with the priority value leads to some JS error messages in the browser console when working with the Admin console. These are also gone when using an own ?priority? config property.
>
> I?d appreciate any feedback on this, if this is an error or whatever?
> Thanks!
>
> Regards,
> - Niko
>
>
>
>> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
>>
>> Hi,
>>
>> I just implemented the User Storage SPI as replacement for our User Federation SPI.
>>
>> Creating the User-Storage Provider works w/o errors, but not Priority value will be saved.
>> When updating the Provider with a value for Priority, it will fail with an exception (see below), updating the Provider without setting a value for Priority works.
>>
>> Do I have to implement/configure something special to get it work?
>> I based my implementation on the user-storage-jpa-example, provided with Keycloak.
>> Or is it a general error? Should a create a Jira issue for it?
>>
>>
>> The exception/stack trace:
>> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token
>> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>        	at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>>        	at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>>        	at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
>>        	at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>        	at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>        	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>        	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>        	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>        	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>        	at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>        	at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>        	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>        	at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>        	at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>        	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>        	at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>        	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>        	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>        	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>        	at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>        	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>        	at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>        	at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>        	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>        	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>        	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>        	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>        	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>        	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>        	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>        	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>        	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>        	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>        	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>        	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>        	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>        	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>        	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>        	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>        	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>        	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>        	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>        	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>        	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>        	at java.lang.Thread.run(Thread.java:745)
>> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of START_OBJECT token
>> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference chain: org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>        	at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
>>        	at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
>>        	at com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
>>        	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
>>        	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
>>        	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
>>        	at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
>>        	at com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
>>        	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>>        	at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>>        	at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>>        	at com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>>        	at com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
>>        	at com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>>        	at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>>        	at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
>>        	at com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
>>        	at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
>>        	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
>>        	at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
>>        	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
>>        	at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
>>        	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>>        	at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
>>        	at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>>        	at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>>        	... 48 more
>>
>>
>> Regards,
>> - Niko
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From sblanc at redhat.com  Tue Nov  1 12:08:26 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 1 Nov 2016 17:08:26 +0100
Subject: [keycloak-user] Using a role to allow access to a resource
In-Reply-To: <CAMJaV9kKC2wGJhksV2u-ojqd+q=BgBpjyy5Ci1oVmyJdSqte1Q@mail.gmail.com>
References: <CAMJaV9n6wb990eY2Uo27F2N3uaGwuqm3WG4ADK_RSK0EPcgR6A@mail.gmail.com>
	<CAMZCGg-oyuRkOT8xe4bFRq99HU7JRS0oH5-D+CGMt1cZa228Sg@mail.gmail.com>
	<CAMJaV9nXqca0PWWv3nOr9vFb4jASsHSLNKzmioZ5ZaVWcw8S-A@mail.gmail.com>
	<CAMZCGg9fjXXs47agR9f+gJdCZdCuG=N2JhZ3tCVKGHzJ9+8Rsw@mail.gmail.com>
	<CAMJaV9kKC2wGJhksV2u-ojqd+q=BgBpjyy5Ci1oVmyJdSqte1Q@mail.gmail.com>
Message-ID: <CAMZCGg_0KSHi+9eABQ7pQD8MECD+FVBBKf7Mq-mdpONoFyXG+w@mail.gmail.com>

On Tue, Nov 1, 2016 at 10:40 AM, Guus der Kinderen <
guus.der.kinderen at gmail.com> wrote:

> Okay, I'm trying to wrap my head around this - please correct me if I'm
> wrong:
>
>    - All of our users are required to get all of the roles that
>    potentially are used by clients. Can we automate this (we've got many
>    users, which varying life cycles)?
>
> I don't know what your exact flow is but :
- You can have "default roles" (in the Roles section) , these will be
assigned by default on user creation
- All of the admin features can be accessed by a REST endpoint, this way
you can totally customized how user are created, role assign

>
>    -
>    - In the (keycloak-sided) configuration of clients (that authenticate
>    users), we limit what roles can be included in the access token that's
>    generated for that client
>
> correct

>
>    -
>    - In the code of the clients (that act as resource servers), we verify
>    that the required role is in place (assuming that authentication itself
>    succeeded in the first place).
>
> correct

>
>    -
>
>
> On 1 November 2016 at 10:36, Sebastien Blanc <sblanc at redhat.com> wrote:
>
>>
>>
>> On Tue, Nov 1, 2016 at 10:16 AM, Guus der Kinderen <
>> guus.der.kinderen at gmail.com> wrote:
>>
>>> ah, no - users don't have any roles assigned.
>>>
>>> Should users each have individually assigned all roles that can be used?
>>>
>> yes
>>
>>> Can we prevent one client from obtaining an access token with a role
>>> that's not intended to be used by that role?
>>>
>> Wel not directly with auth, you will still be authnticated, you can just
>> limit the roles that will be contained in the token (by doing it the way
>> you did it initially with client scope). Maybe with authorization you can
>> achieve this.
>>
>>>
>>> On 1 November 2016 at 10:13, Sebastien Blanc <sblanc at redhat.com> wrote:
>>>
>>>> Your token will contain the roles of the user, not the roles of the
>>>> client. Does your user have the roles assigned ?
>>>>
>>>> On Tue, Nov 1, 2016 at 9:41 AM, Guus der Kinderen <
>>>> guus.der.kinderen at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> While trying to authenticate a user to obtain a resource, I'm running
>>>>> into
>>>>> an issue. It's likely caused by my misunderstanding of how things are
>>>>> supposed to work, rather than some kind of bug. I'd love to be
>>>>> corrected.
>>>>>
>>>>> Using Keycloak 1.9.2, I've created a realm with two clients. One
>>>>> client is
>>>>> using the Javascript adapter[1] to create a very simply UI, that lets
>>>>> the
>>>>> user authenticate. The resulting access token is used to make a
>>>>> request to
>>>>> a REST-like service, which employs the Java Servlet Filter Adapter[2].
>>>>>
>>>>> We're planning to have multiple resource services like this, each
>>>>> exposing
>>>>> data for which different levels of authorization might be required.
>>>>>
>>>>> I'd like our REST-like service to provide data only when the user that
>>>>> requests the data has an access token that is issued to a front-end
>>>>> that is
>>>>> allowed to access this data. To achieve this, I tried employing the
>>>>> use of
>>>>> a role. I think this is where I'm messing up somehow.
>>>>>
>>>>> What I did:
>>>>>
>>>>> In the realm, I've a added a "realm role" ( "scope param required" /
>>>>> "composite roles" both disabled)
>>>>>
>>>>> In the client configuration that's used by the Javascript UI (which
>>>>> generates the access token), I've made these changes to the "scope"
>>>>> tab:
>>>>>
>>>>>    - Disabled "Full Scope Allowed"
>>>>>    - Moved the role that I added earlier from "available roles" to
>>>>>
>>>>>    "assigned roles"
>>>>>
>>>>> Finally, I've modified the implementation of the REST-like service to
>>>>> check
>>>>> for the new role, by doing something like this simplified code in a
>>>>> servlet
>>>>> (that's covered by the OIDC Filter):
>>>>>
>>>>> KeycloakSecurityContext securityContext = (KeycloakSecurityContext)
>>>>> request.getAttribute( KeycloakSecurityContext.class.getName() );
>>>>> if ( !securityContext.getToken().getRealmAccess().isUserInRole(
>>>>> "the-role-that-I-added" ) )
>>>>> {
>>>>>     response.setStatus( HttpServletResponse.SC_FORBIDDEN );
>>>>>     return;
>>>>> }
>>>>>
>>>>> This throws a NullPointerException, as getRealmAccess() returns null.
>>>>>
>>>>> While debugging the code, it's appears that the access token itself is
>>>>> received and valid - it's the scope / role check that does not appear
>>>>> to
>>>>> come through.
>>>>>
>>>>> I finally used the service at https://jwt.io/ to inspect the content
>>>>> of the
>>>>> access token that's being generated. I expected the
>>>>> 'the-role-that-I-added"
>>>>> value to be in there somewhere, but that's not the case.
>>>>>
>>>>> That's where I thought it'd be a good idea to get some advice, and
>>>>> here we
>>>>> are. I'd love some feedback.
>>>>>
>>>>> Regards,
>>>>>
>>>>>   Guus
>>>>>
>>>>> [1]:
>>>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>>>> ide/content/topics/oidc/javascript-adapter.html
>>>>> [2]:
>>>>> https://keycloak.gitbooks.io/securing-client-applications-gu
>>>>> ide/content/topics/oidc/java/servlet-filter-adapter.html
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From guybowdler at dorsetnetworks.com  Tue Nov  1 13:49:24 2016
From: guybowdler at dorsetnetworks.com (Guy Bowdler)
Date: Tue, 01 Nov 2016 17:49:24 +0000
Subject: [keycloak-user] Not authorsing access to app behind Keycloak
	security proxy
In-Reply-To: <729a3e21e420eb8d2bb61393fa58a702@dorsetnetworks.com>
References: <729a3e21e420eb8d2bb61393fa58a702@dorsetnetworks.com>
Message-ID: <4790ec970c79a6f79ce53049a1a2e5b2@dorsetnetworks.com>

Hi all, 

I have an app that isn't keycloak aware and have put the keycloak
security proxy in front of it however even with the most basic settings
I cannot succesfully authenticate to the page - it returns a 403 access
denies error and the keycloak proxy outputs this: 

org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed to turn code into token
java.net.ConnectException: Connection refused (Connection refused) 

Must admit I'm stumped, I thought with this config, any user with an
account that successfully logs in would get the app.  I'm not using
roles or anything complicated (because I don't understand it yet) and
have been round the houses without success so any advice would be
greatly appreciated! 

thanks, 

Guy 

---------------------------------------------- 

Here's some info about the environment: 

---------------------------------------------- 

Both keycloak and the application are reverse proxied via NGINX, but
this works fine when I change the proxy config from "authenticate":true
to "permit": true.  

DMZ: 

2 X NGINX SERVERS (not clustered) one proxying keycloak and the other
proxyying the application    <-- Proper headers set  

---------------------------------------------- 

TRUST: 

KEYCLOAK SERVER - Wildfly configured with 

_<http-listener name="default" socket-binding="http"
redirect-socket="PROXY-HTTPS" PROXY-ADDRESS-FORWARDING="TRUE"/> _and 

_<socket-binding name="proxy-https" port="443"/>   _ 

APPLICATION SERVER - Keycloak Security Proxy 

1 {
  2     "target-url": "http://1.2.3.4:80",
  3     "bind-address": "5.6.7.8",
  4     "http-port": "80",
  5     "https-port": "443",
  6     "keystore": "/opt/keycloak-proxy/KeyStore.jks",
  7     "keystore-password": "password",
  8     "key-password": "password",
  9     "applications": [
 10         {
 11         "base-path": "/",
 12         "error-page": "/error/denied.html",
 13             "adapter-config": {
 14                 "realm": "realmname",
 15                 "resource": "clientname",
 16                 "realm-public-key": "publickey",
 17                 "auth-server-url":
"https://keycloak.tiberius.local/auth",
 18                 "ssl-required": "external",
 19                 "credentials": {
 20                     "secret": "secret"
 21                 }
 22             }
 23             ,
 24             "constraints": [
 25                 {
 26                     "pattern": "/*",
 27                     "authenticate": "true"
 28                 }
 29             ]
 30
 31         }

From guybowdler at dorsetnetworks.com  Tue Nov  1 14:05:16 2016
From: guybowdler at dorsetnetworks.com (Guy Bowdler)
Date: Tue, 01 Nov 2016 18:05:16 +0000
Subject: [keycloak-user] Keycloak not authorising access to app behind
	Keycloak security proxy
Message-ID: <09cda98c7b13d1dfe534f3d05c279a52@dorsetnetworks.com>

Hi all, 

I have an app that isn't keycloak aware and have put the keycloak
security proxy in front of it however even with the most basic settings
I cannot succesfully authenticate to the page - it returns a 403 access
denies error and the keycloak proxy outputs this: 

org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
ERROR: failed to turn code into token
java.net.ConnectException: Connection refused (Connection refused) 

Must admit I'm stumped, I thought with this config, any user with an
account that successfully logs in would get the app.  I'm not using
roles or anything complicated (because I don't understand it yet) and
have been round the houses without success so any advice would be
greatly appreciated! 

thanks, 

Guy 

---------------------------------------------- 

Here's some info about the environment: 

---------------------------------------------- 

Both keycloak and the application are reverse proxied via NGINX, but
this works fine when I change the proxy config from "authenticate":true
to "permit": true.  

DMZ: 

2 X NGINX SERVERS (not clustered) one proxying keycloak and the other
proxyying the application    <-- Proper headers set  

---------------------------------------------- 

TRUST: 

KEYCLOAK SERVER - Wildfly configured with 

_<http-listener name="default" socket-binding="http"
redirect-socket="PROXY-HTTPS" PROXY-ADDRESS-FORWARDING="TRUE"/> _and 

_<socket-binding name="proxy-https" port="443"/>   _ 

APPLICATION SERVER - Keycloak Security Proxy 

1 {
  2     "target-url": "http://1.2.3.4:80",
  3     "bind-address": "5.6.7.8",
  4     "http-port": "80",
  5     "https-port": "443",
  6     "keystore": "/opt/keycloak-proxy/KeyStore.jks",
  7     "keystore-password": "password",
  8     "key-password": "password",
  9     "applications": [
 10         {
 11         "base-path": "/",
 12         "error-page": "/error/denied.html",
 13             "adapter-config": {
 14                 "realm": "realmname",
 15                 "resource": "clientname",
 16                 "realm-public-key": "publickey",
 17                 "auth-server-url":
"https://keycloak.tiberius.local/auth",
 18                 "ssl-required": "external",
 19                 "credentials": {
 20                     "secret": "secret"
 21                 }
 22             }
 23             ,
 24             "constraints": [
 25                 {
 26                     "pattern": "/*",
 27                     "authenticate": "true"
 28                 }
 29             ]
 30
 31         }

From adam.keily at adelaide.edu.au  Tue Nov  1 18:27:24 2016
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Tue, 1 Nov 2016 22:27:24 +0000
Subject: [keycloak-user] External 2FA Integration
Message-ID: <MEXPR01MB0870F24EA1EEA7F8D350951FCAA10@MEXPR01MB0870.ausprd01.prod.outlook.com>

Hi,

Is there any support / guidance for implementing external auth providers. Particularly external MFA providers such as DUO or RSA etc.

Thanks
Adam


From jay.zou at roberthalf.com  Tue Nov  1 19:54:04 2016
From: jay.zou at roberthalf.com (Zou, Jay (HQP))
Date: Tue, 1 Nov 2016 23:54:04 +0000
Subject: [keycloak-user] IdP-initiated saml request to saml SP which uses
 keycloak saml tomcat 8 adapter without configure tomcat realm
Message-ID: <BN1PR0301MB06428B0BF0B068AD60F04B0596A10@BN1PR0301MB0642.namprd03.prod.outlook.com>

Hi keycloak experts,

I am using keycloak saml tomcat 8 adapter. My question is that user is authenticated by an external saml IdP (Idp-Initiated request) through the <login-config> <auth-method>KEYCLOAK-SAML</auth-method> with all necessary configuration so I do NOT need to authenticate that user again through the tomcat realm. But the <security-constraint> defined in the web.xml of tomcat needs match the user's role to the role defined by the <auth-constraint>. Normally, the login-config will send user to the saml IdP to authenticate which will return a saml assertion that will include either an username or federation Id if the saml Idp authentication is successful. Then this username or federation Id is matched with the role defined in the <auth-constraint> by the tomcat realm. My question is that the user is already authenticated by the saml IdP so no need to match the username or federation Id to the role defined in the <auth-constraint> again in Tomcat realm. Could I do it without define a realm in tomcat? I think this is a quite common question that might already have an answer. :)

Thanks,
Jay

From adam.keily at adelaide.edu.au  Tue Nov  1 22:34:20 2016
From: adam.keily at adelaide.edu.au (Adam Keily)
Date: Wed, 2 Nov 2016 02:34:20 +0000
Subject: [keycloak-user] Email Verification
Message-ID: <MEXPR01MB08707ED2AC5AA890DCE3F74BCAA00@MEXPR01MB0870.ausprd01.prod.outlook.com>

Just wondering if I'm missing something. The following scenario, to me, seems flawed.

Realm Setting to verify email = On


1.       New user registers an account.

2.       From the account page, they change their email address, but have a typo in the address.

3.       Attempt to login again and receive an error saying their email needs to be verified.

4.       Cannot verify email because of the typo, user is locked out.

To my way of thinking the email address should be verified at the time it is changed and before the new value is written to the attribute. Is that possible?

Thanks
Adam

From michael_furman at hotmail.com  Wed Nov  2 11:40:08 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Wed, 2 Nov 2016 15:40:08 +0000
Subject: [keycloak-user] List of supported cryptographic algorithms
In-Reply-To: <AM5PR0701MB2530FCCDC00086F1DA6B146FF4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530FCCDC00086F1DA6B146FF4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <AM5PR0701MB2530EF342387636CA59ADFEFF4A00@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Can somebody point where to find the information?



________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
Sent: Tuesday, November 1, 2016 10:11 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] List of supported cryptographic algorithms

Hi all,
Where can I find list of supported algorithms used here:
http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
What is the list of hash algorithms?
What is the list of encryption algorithms?
Thank you in advance for your help.
Best regards,
   Michael
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



From michael_furman at hotmail.com  Wed Nov  2 11:53:53 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Wed, 2 Nov 2016 15:53:53 +0000
Subject: [keycloak-user] Clarifications regarding Spring Security
 Adapter Configuration
In-Reply-To: <20161028113417.GA31012@abstractj.org>
References: <AM5PR0701MB2530E049401EB8DB26EEAEB0F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<20161028113417.GA31012@abstractj.org>
Message-ID: <AM5PR0701MB25309B8C685D747B15F877B2F4A00@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Thanks Bruno,
I will happy for the additional clarification.
What is the redirect URL (Valid Redirect URIs) I should configure on IDP during the client configuration?
Below or something else?
http://<host>/<app>/sso/login<http://%3chost%3e/%3capp%3e/sso/login>



________________________________
From: Bruno Oliveira <bruno at abstractj.org>
Sent: Friday, October 28, 2016 2:34 PM
To: Michael Furman; keycloak-user
Subject: Re: [keycloak-user] Clarifications regarding Spring Security Adapter Configuration

Hi Michael

On 2016-10-26, Michael Furman wrote:
> Hi all,
> I will happy for couple of clarifications regarding Java Adapter Configuration:
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/java-adapter-config.html
>
> I want to use Spring Security Adapter:
> https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html
>
>
>   1.  Where keycloak.json should be located?
> How I pass it to the Spring Security Adapter?

If you look at the section "XML Configuration"[1] there's a snippet
showing how to configure it:

<bean id="adapterDeploymentContext" class="org.keycloak.adapters.springsecurity.AdapterDeploymentContextFactoryBean">
   <constructor-arg value="/WEB-INF/keycloak.json" />
</bean>

>   2.  Is it possible to configure all properties (that configured in keycloak.json) via database?
> Or alternatively via some Spring Context?

I did something related to this in the past with RESTful endpoints, not
sure if it helps. But if you have sensitive information,
I strongly recommend not doing that.

> In this case I will be able to put confidential information (e.g. truststore-password) in the databasea

Looking at this issue[2], I'm not sure if what you want is supported
now.
>
>

[1] - https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html
[2] - https://issues.jboss.org/browse/KEYCLOAK-1410

> Thank you in advance for your help.
> Best regards,
>    Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



--

abstractj
PGP: 0x84DC9914

From thomas.darimont at googlemail.com  Wed Nov  2 12:11:29 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 2 Nov 2016 17:11:29 +0100
Subject: [keycloak-user] List of supported cryptographic algorithms
In-Reply-To: <AM5PR0701MB2530EF342387636CA59ADFEFF4A00@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530FCCDC00086F1DA6B146FF4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<AM5PR0701MB2530EF342387636CA59ADFEFF4A00@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAK-7U1i7Ysw-z9WVoCiMhvthsz3i3nC04Szn_2Y5hpXRFnQErQ@mail.gmail.com>

Hello Michael,

see: threat-model mitigations
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat.html

Password db compromised:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat/password-db-compromised.html


currently user passwords in Keycloak are by default hashed with
PBKDF2WithHmacSHA1 + salt and 20.000 iterations.

https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18cd8de55a5f/server-spi/src/main/java/org/keycloak/policy/HashAlgorithmPasswordPolicyProviderFactory.java#L31
https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java

You can provide your own hash algorithms via custom extensions, see:
PasswordHashProviderFactory, PasswordHashProvider

Supported OTP hash algos:
SHA1("HmacSHA1"),
SHA256("HmacSHA256"),
SHA512("HmacSHA512");

OTP secrets are stored by default as HmacSHA1

HmacOTP:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java#L33

User passwords as well as OTP secrets are stored within the "credentials"
table in the Keycloak database
(in case of using a RDBMS) via the CredentialEntity.

CredentialEntity:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java#L50

Defaults in code might be overriden with defaults in database-changelog
scripts:
https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF

Cheers,
Thomas

2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman at hotmail.com>:

> Can somebody point where to find the information?
>
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.
> jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
> Sent: Tuesday, November 1, 2016 10:11 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] List of supported cryptographic algorithms
>
> Hi all,
> Where can I find list of supported algorithms used here:
> http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
> What is the list of hash algorithms?
> What is the list of encryption algorithms?
> Thank you in advance for your help.
> Best regards,
>    Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.
> org/mailman/listinfo/keycloak-user>
> lists.jboss.org
> To see the collection of prior postings to the list, visit the
> keycloak-user Archives. Using keycloak-user: To post a message to all the
> list members ...
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chris.savory at edlogics.com  Wed Nov  2 12:58:32 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Wed, 2 Nov 2016 16:58:32 +0000
Subject: [keycloak-user] Realm Roles not returned on search
Message-ID: <BA784E3B-5C6B-4A59-AE90-1538261345A9@edlogics.com>

Is there a setting avaiable to get an Admin API user search to return the Realm Roles?  

This does not return the roles:
	public List<UserRepresentation> getAllUsers() {
		return keyCloak.realm( applicationSettings.getKeycloakApplicationProperties().getRealm() )
				.users().search( StringUtils.EMPTY, 0, Integer.MAX_VALUE );
	}

If we need the roles, we are currently forced to this:
	public UserRepresentation getUserById( String id ) {
		UserResource userResource = keyCloak.realm( applicationSettings.getKeycloakApplicationProperties().getRealm() )
				.users().get( id );
		UserRepresentation userRepresentation = userResource.toRepresentation();
		userRepresentation.setRealmRoles( userResource.roles().getAll().getRealmMappings().stream().map( RoleRepresentation::getName ).collect( Collectors.toList() ) );
		userRepresentation.setGroups( userResource.groups().stream().map( GroupRepresentation::getName ).collect( Collectors.toList() ) );

		return userRepresentation;
	}


There are some cases we have where we are getting a large list of users and would want to exclude any R0LE_ADMIN in that list.  Checking them all one-by-one would be very inefficient. 


--
Christopher Savory
Software Engineer | EdLogics




From thomas.darimont at googlemail.com  Wed Nov  2 15:02:30 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 2 Nov 2016 20:02:30 +0100
Subject: [keycloak-user] Interesting talk about OAuth 2.0 and the Internet
 of Things from Nordic APIs
Message-ID: <CAK-7U1hVV2z+YgvB32KHgdbyhQi_ie0jwDF0jj_4GESx1w4J_Q@mail.gmail.com>

Hello,

just watched an (IMHO) very interesting video about "OAuth 2.0 and the
Internet of Things (IoT)"
from the Nordic APIs conference that I wanted to share.

It contains some interesting examples about proof of possession in the
context of OAuth 2.0
and how to securely communicate with constrainted devices:
https://www.youtube.com/watch?v=ZF0wrHtiXYw

More videos (also from past years) about OAuth 2.0 and OpenID Connect
can be found here:
https://www.youtube.com/user/nordicapis/videos

Cheers,
Thomas

From palermo at pobox.com  Wed Nov  2 19:18:48 2016
From: palermo at pobox.com (Bruno Palermo)
Date: Wed, 02 Nov 2016 23:18:48 -0000
Subject: [keycloak-user] Custom Required Action
In-Reply-To: <CAJgngAfCtAFhM8tBdZii2J3BidrG3X1pFDYmU04fRo-PPrBTLw@mail.gmail.com>
References: <DM5PR13MB11647F2FDA78D7EFF46172B7FEAC0@DM5PR13MB1164.namprd13.prod.outlook.com>,
	<CAJgngAfCtAFhM8tBdZii2J3BidrG3X1pFDYmU04fRo-PPrBTLw@mail.gmail.com>
Message-ID: <DM5PR13MB1164351F08312EE30CD7F627FEA00@DM5PR13MB1164.namprd13.prod.outlook.com>

Stian,


And how can I access the database? Can you point me in the right direction?


Thanks,

Bruno


________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Tuesday, November 1, 2016 7:06 AM
To: Bruno Palermo
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Custom Required Action

Only way you'd be able to do it is with a custom realm resource. Required actions require the session to be processed.

On 11 May 2018 at 00:05, Bruno Palermo <palermo at pobox.com<mailto:palermo at pobox.com>> wrote:
Hi,


I'm trying to develop a custom required action to verify the user email without relying on the user session and allow the confirmation link to live longer.


Let's say I send the user email as query parameter on the confirmation link.

It's possible to search the database directly using this email and avoid using 'RequiredActionContext getUser()'?


Thanks,
Bruno
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From michael_furman at hotmail.com  Thu Nov  3 01:08:23 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Thu, 3 Nov 2016 05:08:23 +0000
Subject: [keycloak-user] Clarifications regarding advanced authentications
 (LDAP, Kerberos, SAML)
Message-ID: <AM5PR0701MB253062EFF73AB96F2AE65310F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi all,
I will happy for clarifications regarding advanced authentications (LDAP, Kerberos, SAML).

  1.  Why Kerberos is "User Federation" but SAML is "Identity Provider"?
Both are SSO protocols (I do understand difference between protocols but it is seamless from the user point of view).

What is the difference between User Federation and Identity Provider in Keycloak?
Will Keycloak import all users from the defined in "User Federation" into internal database?

  2.  How I incorporate "User Federation" or "Identity Provider" into the authentication flow?
I see that I can add "Identity Provider Redirector" but how I add "User Federation"?
  3.  Regarding LDAP:  I have added LDAP User Federation.
The "Test connection" and the "Test authentication" pass successfully but I can not authenticate LDAP users in UI.
What I have missed?
Should I add LDAP to the authentication flow?



Thank you in advance for your help.

Michael

From michael_furman at hotmail.com  Thu Nov  3 01:23:37 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Thu, 3 Nov 2016 05:23:37 +0000
Subject: [keycloak-user] Clarifications regarding advanced
 authentications (LDAP, Kerberos, SAML)
In-Reply-To: <AM5PR0701MB253062EFF73AB96F2AE65310F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB253062EFF73AB96F2AE65310F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <AM5PR0701MB25304ECB76E105B3B0A5BDE3F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>

One additional question regarding LDAP:
How can I provide an LDAP public key when I work over SSL (ldaps://<host>:636)?
Or Keycloak trusts any LDAP certificate?



________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
Sent: Thursday, November 3, 2016 7:08 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Clarifications regarding advanced authentications (LDAP, Kerberos, SAML)

Hi all,
I will happy for clarifications regarding advanced authentications (LDAP, Kerberos, SAML).

  1.  Why Kerberos is "User Federation" but SAML is "Identity Provider"?
Both are SSO protocols (I do understand difference between protocols but it is seamless from the user point of view).

What is the difference between User Federation and Identity Provider in Keycloak?
Will Keycloak import all users from the defined in "User Federation" into internal database?

  2.  How I incorporate "User Federation" or "Identity Provider" into the authentication flow?
I see that I can add "Identity Provider Redirector" but how I add "User Federation"?
  3.  Regarding LDAP:  I have added LDAP User Federation.
The "Test connection" and the "Test authentication" pass successfully but I can not authenticate LDAP users in UI.
What I have missed?
Should I add LDAP to the authentication flow?



Thank you in advance for your help.

Michael
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



From bjorn.j.janson at gmail.com  Thu Nov  3 03:53:04 2016
From: bjorn.j.janson at gmail.com (=?UTF-8?Q?Bj=C3=B6rn_Janson?=)
Date: Thu, 3 Nov 2016 08:53:04 +0100
Subject: [keycloak-user] Keycloak-spring-boot-adapter CORS bug?
Message-ID: <CACTZ6t915-DktvQqm+vp9ixjoRJZm_xU97hyjLGzDhu30YdzFA@mail.gmail.com>

Hello all,

I'm building an application with a Spring Boot (1.4.0) resource service and
AngularJS (1.5.8) front-end. Both are separate projects and run on
different ports. Therefore I applied global Spring Boot CORS configuration
as instructed on this page: https://spring.io/guides/gs/rest-service-cors/
. This works fine. When I want to secure my application using Keycloak I
get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
to retrieve data from the service.

Because I'm using keycloak-spring-boot-adapter the configuration has to be
done in the application.properties. I added these lines:

keycloak.cors = true
keycloak.cors-max-age = 1000
keycloak.cors-allowed-methods = POST, PUT, DELETE, GET

These didn't give an error. (keycloak.enable-cors = true did). Still, I get
a 401 with a No 'Access-Control-Allow-Origin' error.

I tried several versions of the keycloak-spring-boot-adapter as well as
Spring Boot 1.4.1 (which actually resulted in an internal error as
described here:
http://stackoverflow.com/questions/39794779/how-do-i-configure-the-spring-boot-quickstart-for-keycloak).
I tried disabling the Spring Boot CORS configuration. I also tried to
minimize the lines in my application.properties and only adding keycloak.cors
= true for CORS configuration. All didn't work.

I'm just starting out with Keycloak so I don't know if I'm missing
something or that I actually stumbled upon a bug. Is there anyone who might
be able to help me?

Kind regards,
Bj?rn

From sblanc at redhat.com  Thu Nov  3 04:44:05 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 3 Nov 2016 09:44:05 +0100
Subject: [keycloak-user] Keycloak-spring-boot-adapter CORS bug?
In-Reply-To: <CACTZ6t915-DktvQqm+vp9ixjoRJZm_xU97hyjLGzDhu30YdzFA@mail.gmail.com>
References: <CACTZ6t915-DktvQqm+vp9ixjoRJZm_xU97hyjLGzDhu30YdzFA@mail.gmail.com>
Message-ID: <CAMZCGg8yqG7UzgvVMiGkSgmqbM6sXLircOz-Prxp-TOfoDhULA@mail.gmail.com>

Hi !

Before looking at the CORS stuff let's check how you have set up your
keycloak configuration ? The example you refer to is : a SpringBoot REST
service and a JS frontend, which means :

- Your REST service must be a particular keyloak client with bearer-only.

- Your frontend service must be a particular keycloak client, and your JS
app should use the keycloak.js adapter. From that client you will be
redirected to the keycloak login page, after it redirects back you have to
pass the token in the header before doing your backend call.



Regarding cors config in the properties file, these are not relevant for
the SpringBoot adapter (we need to document that or make it work ;) ) but
configuring CORS directly in SB should be enough.

Regarding your SB 1.4.1 , this has been reported and fixed, it will be
available in the next KC release.

Sebi



On Thu, Nov 3, 2016 at 8:53 AM, Bj?rn Janson <bjorn.j.janson at gmail.com>
wrote:

> Hello all,
>
> I'm building an application with a Spring Boot (1.4.0) resource service and
> AngularJS (1.5.8) front-end. Both are separate projects and run on
> different ports. Therefore I applied global Spring Boot CORS configuration
> as instructed on this page: https://spring.io/guides/gs/rest-service-cors/
> . This works fine. When I want to secure my application using Keycloak I
> get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
> to retrieve data from the service.
>
> Because I'm using keycloak-spring-boot-adapter the configuration has to be
> done in the application.properties. I added these lines:
>
> keycloak.cors = true
> keycloak.cors-max-age = 1000
> keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
>
> These didn't give an error. (keycloak.enable-cors = true did). Still, I get
> a 401 with a No 'Access-Control-Allow-Origin' error.
>
> I tried several versions of the keycloak-spring-boot-adapter as well as
> Spring Boot 1.4.1 (which actually resulted in an internal error as
> described here:
> http://stackoverflow.com/questions/39794779/how-do-i-
> configure-the-spring-boot-quickstart-for-keycloak).
> I tried disabling the Spring Boot CORS configuration. I also tried to
> minimize the lines in my application.properties and only adding
> keycloak.cors
> = true for CORS configuration. All didn't work.
>
> I'm just starting out with Keycloak so I don't know if I'm missing
> something or that I actually stumbled upon a bug. Is there anyone who might
> be able to help me?
>
> Kind regards,
> Bj?rn
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Thu Nov  3 05:47:49 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 3 Nov 2016 10:47:49 +0100
Subject: [keycloak-user] Custom Required Action
In-Reply-To: <DM5PR13MB1164351F08312EE30CD7F627FEA00@DM5PR13MB1164.namprd13.prod.outlook.com>
References: <DM5PR13MB11647F2FDA78D7EFF46172B7FEAC0@DM5PR13MB1164.namprd13.prod.outlook.com>
	<CAJgngAfCtAFhM8tBdZii2J3BidrG3X1pFDYmU04fRo-PPrBTLw@mail.gmail.com>
	<DM5PR13MB1164351F08312EE30CD7F627FEA00@DM5PR13MB1164.namprd13.prod.outlook.com>
Message-ID: <CAJgngAfiaHtwtx5C9nn-cFgmC1RwNx+7CsRG5=JtwuVKHHgdEA@mail.gmail.com>

You don't. You use the User SPI which you can get to through
KeycloakSession.

On 12 February 2016 at 00:17, Bruno Palermo <palermo at pobox.com> wrote:

> Stian,
>
>
> And how can I access the database? Can you point me in the right direction?
>
>
> Thanks,
>
> Bruno
>
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Tuesday, November 1, 2016 7:06 AM
> *To:* Bruno Palermo
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Custom Required Action
>
> Only way you'd be able to do it is with a custom realm resource. Required
> actions require the session to be processed.
>
> On 11 May 2018 at 00:05, Bruno Palermo <palermo at pobox.com> wrote:
>
>> Hi,
>>
>>
>> I'm trying to develop a custom required action to verify the user email
>> without relying on the user session and allow the confirmation link to live
>> longer.
>>
>>
>> Let's say I send the user email as query parameter on the confirmation
>> link.
>>
>> It's possible to search the database directly using this email and avoid
>> using 'RequiredActionContext getUser()'?
>>
>>
>> Thanks,
>> Bruno
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From bjorn.j.janson at gmail.com  Thu Nov  3 06:33:27 2016
From: bjorn.j.janson at gmail.com (=?UTF-8?Q?Bj=C3=B6rn_Janson?=)
Date: Thu, 3 Nov 2016 11:33:27 +0100
Subject: [keycloak-user] Keycloak-spring-boot-adapter CORS bug?
In-Reply-To: <CAMZCGg8yqG7UzgvVMiGkSgmqbM6sXLircOz-Prxp-TOfoDhULA@mail.gmail.com>
References: <CACTZ6t915-DktvQqm+vp9ixjoRJZm_xU97hyjLGzDhu30YdzFA@mail.gmail.com>
	<CAMZCGg8yqG7UzgvVMiGkSgmqbM6sXLircOz-Prxp-TOfoDhULA@mail.gmail.com>
Message-ID: <CACTZ6t9FcsNDBr=qx3KucaekmRmDKsUdy4gA8UDh+HjN5tzLFg@mail.gmail.com>

??Hello Sebastien,

Thank you for the quick reply. I did configure the JS app using the
keycloak.js adapter, and the REST service as a client with bearer-only. I
redid all my configuration again and for some reason I got right what I did
wrong the last two nights I was working on it... Unfortunately I'm still
clueless as to what I did wrong (I didn't commit my code which produced the
error). I think I didn't configure the AngularJS $http Authorization header
properly the times I got the REST service settings right.

Trying to reproduce my error I got the feeling that the CORS config in
application.properties is relevant after all. Taking the following steps
produced a 401:
- Remove CORS config from application.properties and restart the service
- Clear browser cache and restart the browser
- Visit the frontend application and successfully log in using Keycloak
- After the redirect back to the AngularJS homepage the REST service
response was a 401

Then, adding back the CORS config in application.properties, restarting the
service, clearing browser cache, restarting browser and logging in resulted
in a 200.

I repeated these steps several times and didn't change any other code or
settings. So I think configuring CORS in Spring Boot is not sufficient
after all.

Kind regards and thanks once more,
Bj?rn



2016-11-03 9:44 GMT+01:00 Sebastien Blanc <sblanc at redhat.com>:

> Hi !
>
> Before looking at the CORS stuff let's check how you have set up your
> keycloak configuration ? The example you refer to is : a SpringBoot REST
> service and a JS frontend, which means :
>
> - Your REST service must be a particular keyloak client with bearer-only.
>
> - Your frontend service must be a particular keycloak client, and your JS
> app should use the keycloak.js adapter. From that client you will be
> redirected to the keycloak login page, after it redirects back you have to
> pass the token in the header before doing your backend call.
>
>
>
> Regarding cors config in the properties file, these are not relevant for
> the SpringBoot adapter (we need to document that or make it work ;) ) but
> configuring CORS directly in SB should be enough.
>
> Regarding your SB 1.4.1 , this has been reported and fixed, it will be
> available in the next KC release.
>
> Sebi
>
>
>
> On Thu, Nov 3, 2016 at 8:53 AM, Bj?rn Janson <bjorn.j.janson at gmail.com>
> wrote:
>
>> Hello all,
>>
>> I'm building an application with a Spring Boot (1.4.0) resource service
>> and
>> AngularJS (1.5.8) front-end. Both are separate projects and run on
>> different ports. Therefore I applied global Spring Boot CORS configuration
>> as instructed on this page: https://spring.io/guides/gs/re
>> st-service-cors/
>> . This works fine. When I want to secure my application using Keycloak I
>> get a No 'Access-Control-Allow-Origin' header 401 when my front-end wants
>> to retrieve data from the service.
>>
>> Because I'm using keycloak-spring-boot-adapter the configuration has to be
>> done in the application.properties. I added these lines:
>>
>> keycloak.cors = true
>> keycloak.cors-max-age = 1000
>> keycloak.cors-allowed-methods = POST, PUT, DELETE, GET
>>
>> These didn't give an error. (keycloak.enable-cors = true did). Still, I
>> get
>> a 401 with a No 'Access-Control-Allow-Origin' error.
>>
>> I tried several versions of the keycloak-spring-boot-adapter as well as
>> Spring Boot 1.4.1 (which actually resulted in an internal error as
>> described here:
>> http://stackoverflow.com/questions/39794779/how-do-i-configu
>> re-the-spring-boot-quickstart-for-keycloak).
>> I tried disabling the Spring Boot CORS configuration. I also tried to
>> minimize the lines in my application.properties and only adding
>> keycloak.cors
>> = true for CORS configuration. All didn't work.
>>
>> I'm just starting out with Keycloak so I don't know if I'm missing
>> something or that I actually stumbled upon a bug. Is there anyone who
>> might
>> be able to help me?
>>
>> Kind regards,
>> Bj?rn
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From teknodjs at gmail.com  Thu Nov  3 07:16:42 2016
From: teknodjs at gmail.com (Padmaka Wijaygoonawardena)
Date: Thu, 3 Nov 2016 16:46:42 +0530
Subject: [keycloak-user] Performance lag in client role creation and
	retrieval
Message-ID: <CACrrGYip-_Gx4A-pc-qZ_VkciFuF+CWGa8Ce-YbxnOQ_J615xQ@mail.gmail.com>

Hi,

I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm
using has 2 Keycloak nodes and around 4000 client roles for one client. the
process I go through for adding is as follows:


   1. GET call to check whether the role already exists. (takes around
   2000ms)
   2. POST call to create the new client role. (takes around 10000ms)
   3. GET call to get the newly created client role(Since the create role
   call doesn't send the full client role in the response body). (takes around
   10000ms)

The Keycloak version I used earlier was 1.9.0 with that version this
process worked fine with one call taking around 700ms on average.

So as shown above this is a huge performance lag. With further
investigation I found the following points


   1. When using only one Keycloak node this problem doesn't appear.
   Therefore it should be some issue with infinispan cache.
   2. When I remove the get calls and only send the create calls then the
   calls return in 2000ms in average.
   3. This lag only appears when executing a get role call soon after
   creating a client role.

I double checked the changes for 2.3.0 [1] since there is nothing said
about cache or related issues I raised this issue.

Any advice or fix would be highly appreciated. Thanks in advance.

[1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html

Cheers,
Padmaka.

From michael_furman at hotmail.com  Thu Nov  3 07:44:23 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Thu, 3 Nov 2016 11:44:23 +0000
Subject: [keycloak-user] List of supported cryptographic algorithms
In-Reply-To: <CAK-7U1i7Ysw-z9WVoCiMhvthsz3i3nC04Szn_2Y5hpXRFnQErQ@mail.gmail.com>
References: <AM5PR0701MB2530FCCDC00086F1DA6B146FF4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<AM5PR0701MB2530EF342387636CA59ADFEFF4A00@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<CAK-7U1i7Ysw-z9WVoCiMhvthsz3i3nC04Szn_2Y5hpXRFnQErQ@mail.gmail.com>
Message-ID: <AM5PR0701MB25308D25B2D3E387B922A9F6F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi Thomas,
Thank you for the detailed answer!
Is Keycloak supports "improve" of hashing algorithms during a password reset?
The use case:
Now we use SHA-256 for user passwords.
Therefore, during the migration to Keycloak I still need to use SHA-256.
But I want to replace hash to PBKDF2.

It will be great if during a password reset it will be possible to replace the hash algorithm.


________________________________
From: Thomas Darimont <thomas.darimont at googlemail.com>
Sent: Wednesday, November 2, 2016 6:11 PM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] List of supported cryptographic algorithms

Hello Michael,

see: threat-model mitigations
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat.html

Password db compromised:
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat/password-db-compromised.html


currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations.

https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18cd8de55a5f/server-spi/src/main/java/org/keycloak/policy/HashAlgorithmPasswordPolicyProviderFactory.java#L31
https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>

keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services


You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider

Supported OTP hash algos:
SHA1("HmacSHA1"),
SHA256("HmacSHA256"),
SHA512("HmacSHA512");

OTP secrets are stored by default as HmacSHA1

HmacOTP:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java#L33

User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database
(in case of using a RDBMS) via the CredentialEntity.

CredentialEntity:
https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java#L50

Defaults in code might be overriden with defaults in database-changelog scripts:
https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>

keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services


Cheers,
Thomas

2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
Can somebody point where to find the information?



________________________________
From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>
Sent: Tuesday, November 1, 2016 10:11 AM
To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: [keycloak-user] List of supported cryptographic algorithms

Hi all,
Where can I find list of supported algorithms used here:
http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
What is the list of hash algorithms?
What is the list of encryption algorithms?
Thank you in advance for your help.
Best regards,
   Michael
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org<http://lists.jboss.org>
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Thu Nov  3 10:10:22 2016
From: bburke at redhat.com (Bill Burke)
Date: Thu, 3 Nov 2016 10:10:22 -0400
Subject: [keycloak-user] List of supported cryptographic algorithms
In-Reply-To: <AM5PR0701MB25308D25B2D3E387B922A9F6F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530FCCDC00086F1DA6B146FF4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<AM5PR0701MB2530EF342387636CA59ADFEFF4A00@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAK-7U1i7Ysw-z9WVoCiMhvthsz3i3nC04Szn_2Y5hpXRFnQErQ@mail.gmail.com>
	<AM5PR0701MB25308D25B2D3E387B922A9F6F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <f752404c-1e84-ef32-ad02-a055aeca72ae@redhat.com>

If passwords are stored by Keycloak, it remembers the salt and algorithm 
used to create the hash for that password.  If the policy changes, then 
the next password change will use the new algorithm defined.


On 11/3/16 7:44 AM, Michael Furman wrote:
> Hi Thomas,
> Thank you for the detailed answer!
> Is Keycloak supports "improve" of hashing algorithms during a password reset?
> The use case:
> Now we use SHA-256 for user passwords.
> Therefore, during the migration to Keycloak I still need to use SHA-256.
> But I want to replace hash to PBKDF2.
>
> It will be great if during a password reset it will be possible to replace the hash algorithm.
>
>
> ________________________________
> From: Thomas Darimont <thomas.darimont at googlemail.com>
> Sent: Wednesday, November 2, 2016 6:11 PM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] List of supported cryptographic algorithms
>
> Hello Michael,
>
> see: threat-model mitigations
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat.html
>
> Password db compromised:
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.3/topics/threat/password-db-compromised.html
>
>
> currently user passwords in Keycloak are by default hashed with PBKDF2WithHmacSHA1 + salt and 20.000 iterations.
>
> https://github.com/keycloak/keycloak/blob/fc6d6ff7f7dae7fb25edf052659d18cd8de55a5f/server-spi/src/main/java/org/keycloak/policy/HashAlgorithmPasswordPolicyProviderFactory.java#L31
> https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java
> [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
>
> keycloak/keycloak<https://github.com/keycloak/keycloak/blob/a89dbabc921d841dc943ac3a33886396bb13781b/server-spi/src/main/java/org/keycloak/credential/hash/Pbkdf2PasswordHashProvider.java>
> github.com
> keycloak - Open Source Identity and Access Management For Modern Applications and Services
>
>
> You can provide your own hash algorithms via custom extensions, see: PasswordHashProviderFactory, PasswordHashProvider
>
> Supported OTP hash algos:
> SHA1("HmacSHA1"),
> SHA256("HmacSHA256"),
> SHA512("HmacSHA512");
>
> OTP secrets are stored by default as HmacSHA1
>
> HmacOTP:
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/server-spi/src/main/java/org/keycloak/models/utils/HmacOTP.java#L33
>
> User passwords as well as OTP secrets are stored within the "credentials" table in the Keycloak database
> (in case of using a RDBMS) via the CredentialEntity.
>
> CredentialEntity:
> https://github.com/keycloak/keycloak/blob/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/java/org/keycloak/models/jpa/entities/CredentialEntity.java#L50
>
> Defaults in code might be overriden with defaults in database-changelog scripts:
> https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF
> [https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
>
> keycloak/keycloak<https://github.com/keycloak/keycloak/tree/1aeec2a83c6677cd7dcfccb6ba2c39d10143b920/model/jpa/src/main/resources/META-INF>
> github.com
> keycloak - Open Source Identity and Access Management For Modern Applications and Services
>
>
> Cheers,
> Thomas
>
> 2016-11-02 16:40 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
> Can somebody point where to find the information?
>
>
>
> ________________________________
> From: keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org> <keycloak-user-bounces at lists.jboss.org<mailto:keycloak-user-bounces at lists.jboss.org>> on behalf of Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>
> Sent: Tuesday, November 1, 2016 10:11 AM
> To: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: [keycloak-user] List of supported cryptographic algorithms
>
> Hi all,
> Where can I find list of supported algorithms used here:
> http://www.keycloak.org/docs/rest-api/#_credentialrepresentation
> What is the list of hash algorithms?
> What is the list of encryption algorithms?
> Thank you in advance for your help.
> Best regards,
>     Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
> lists.jboss.org<http://lists.jboss.org>
> To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From thomas.darimont at googlemail.com  Thu Nov  3 11:49:47 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 3 Nov 2016 16:49:47 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
	configuration
In-Reply-To: <5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
Message-ID: <CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>

Hello,

I'm facing the same problem - could you point me to the commit that fixed
this in master?

Cheers,
Thomas

2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com>:

> Its an admin console issue.  I think I fixed it in master, but I 'll
> double check.
>
>
> On 11/1/16 3:35 AM, Niko K?bler wrote:
> > Hi,
> >
> > I just tested and investigated a bit more?
> >
> > When saving a UserStorageProvider, the ?priority? value is sent within
> the config object:
> > {
> >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
> >    "name": "my-user-storage",
> >    "providerId": "my-user-storage",
> >    "providerType": "org.keycloak.storage.UserStorageProvider",
> >    "parentId": "demo",
> >    "config": {
> >      "baseUrl": [
> >        "http://localhost:9000"
> >      ],
> >      "basicAuthUsername": [
> >        "admin"
> >      ],
> >      "basicAuthPassword": [
> >        "secret"
> >      ],
> >      "priority": {
> >        "0": "1"
> >      }
> >    }
> > }
> >
> > In contrast to a UserFederationProvider, where the ?priority? value is
> sent as part of the root object, not in the nested config object.
> >
> > When adding a ?priority? config property in my UserStorageProvider, it
> works, but it looks strange in the Admin console, as there are now 2
> priority fields? but it works.
> >
> > Additionally, this error with the priority value leads to some JS error
> messages in the browser console when working with the Admin console. These
> are also gone when using an own ?priority? config property.
> >
> > I?d appreciate any feedback on this, if this is an error or whatever?
> > Thanks!
> >
> > Regards,
> > - Niko
> >
> >
> >
> >> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
> >>
> >> Hi,
> >>
> >> I just implemented the User Storage SPI as replacement for our User
> Federation SPI.
> >>
> >> Creating the User-Storage Provider works w/o errors, but not Priority
> value will be saved.
> >> When updating the Provider with a value for Priority, it will fail with
> an exception (see below), updating the Provider without setting a value for
> Priority works.
> >>
> >> Do I have to implement/configure something special to get it work?
> >> I based my implementation on the user-storage-jpa-example, provided
> with Keycloak.
> >> Or is it a general error? Should a create a Jira issue for it?
> >>
> >>
> >> The exception/stack trace:
> >> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/
> components/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException:
> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
> instance of java.util.ArrayList out of START_OBJECT token
> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
> line: 1, column: 387] (through reference chain:
> org.keycloak.representations.idm.ComponentRepresentation["
> config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
> >>              at org.jboss.resteasy.core.MessageBodyParameterInjector.
> inject(MessageBodyParameterInjector.java:184)
> >>              at org.jboss.resteasy.core.MethodInjectorImpl.
> injectArguments(MethodInjectorImpl.java:91)
> >>              at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:114)
> >>              at org.jboss.resteasy.core.ResourceMethodInvoker.
> invokeOnTarget(ResourceMethodInvoker.java:295)
> >>              at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
> >>              at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> >>              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> >>              at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> >>              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> >>              at org.jboss.resteasy.core.ResourceLocatorInvoker.
> invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> >>              at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> >>              at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> >>              at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> >>              at org.jboss.resteasy.plugins.server.servlet.
> ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> >>              at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >>              at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >>              at javax.servlet.http.HttpServlet.service(
> HttpServlet.java:790)
> >>              at io.undertow.servlet.handlers.
> ServletHandler.handleRequest(ServletHandler.java:85)
> >>              at io.undertow.servlet.handlers.
> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >>              at org.keycloak.services.filters.
> KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
> java:90)
> >>              at io.undertow.servlet.core.ManagedFilter.doFilter(
> ManagedFilter.java:60)
> >>              at io.undertow.servlet.handlers.
> FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >>              at io.undertow.servlet.handlers.
> FilterHandler.handleRequest(FilterHandler.java:84)
> >>              at io.undertow.servlet.handlers.security.
> ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> java:62)
> >>              at io.undertow.servlet.handlers.ServletDispatchingHandler.
> handleRequest(ServletDispatchingHandler.java:36)
> >>              at org.wildfly.extension.undertow.security.
> SecurityContextAssociationHandler.handleRequest(
> SecurityContextAssociationHandler.java:78)
> >>              at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>              at io.undertow.servlet.handlers.security.
> SSLInformationAssociationHandler.handleRequest(
> SSLInformationAssociationHandler.java:131)
> >>              at io.undertow.servlet.handlers.security.
> ServletAuthenticationCallHandler.handleRequest(
> ServletAuthenticationCallHandler.java:57)
> >>              at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>              at io.undertow.security.handlers.
> AbstractConfidentialityHandler.handleRequest(
> AbstractConfidentialityHandler.java:46)
> >>              at io.undertow.servlet.handlers.security.
> ServletConfidentialityConstraintHandler.handleRequest(
> ServletConfidentialityConstraintHandler.java:64)
> >>              at io.undertow.security.handlers.
> AuthenticationMechanismsHandler.handleRequest(
> AuthenticationMechanismsHandler.java:60)
> >>              at io.undertow.servlet.handlers.security.
> CachedAuthenticatedSessionHandler.handleRequest(
> CachedAuthenticatedSessionHandler.java:77)
> >>              at io.undertow.security.handlers.
> NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
> java:50)
> >>              at io.undertow.security.handlers.
> AbstractSecurityContextAssociationHandler.handleRequest(
> AbstractSecurityContextAssociationHandler.java:43)
> >>              at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>              at org.wildfly.extension.undertow.security.jacc.
> JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >>              at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>              at io.undertow.server.handlers.PredicateHandler.
> handleRequest(PredicateHandler.java:43)
> >>              at io.undertow.servlet.handlers.ServletInitialHandler.
> handleFirstRequest(ServletInitialHandler.java:284)
> >>              at io.undertow.servlet.handlers.ServletInitialHandler.
> dispatchRequest(ServletInitialHandler.java:263)
> >>              at io.undertow.servlet.handlers.
> ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >>              at io.undertow.servlet.handlers.ServletInitialHandler$1.
> handleRequest(ServletInitialHandler.java:174)
> >>              at io.undertow.server.Connectors.
> executeRootHandler(Connectors.java:202)
> >>              at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
> >>              at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> >>              at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> >>              at java.lang.Thread.run(Thread.java:745)
> >> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can
> not deserialize instance of java.util.ArrayList out of START_OBJECT token
> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
> line: 1, column: 387] (through reference chain:
> org.keycloak.representations.idm.ComponentRepresentation["
> config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
> >>              at com.fasterxml.jackson.databind.JsonMappingException.
> from(JsonMappingException.java:148)
> >>              at com.fasterxml.jackson.databind.DeserializationContext.
> mappingException(DeserializationContext.java:835)
> >>              at com.fasterxml.jackson.databind.DeserializationContext.
> mappingException(DeserializationContext.java:831)
> >>              at com.fasterxml.jackson.databind.deser.std.
> StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.
> java:240)
> >>              at com.fasterxml.jackson.databind.deser.std.
> StringCollectionDeserializer.deserialize(StringCollectionDeserializer.
> java:171)
> >>              at com.fasterxml.jackson.databind.deser.std.
> StringCollectionDeserializer.deserialize(StringCollectionDeserializer.
> java:161)
> >>              at com.fasterxml.jackson.databind.deser.std.
> StringCollectionDeserializer.deserialize(StringCollectionDeserializer.
> java:19)
> >>              at com.fasterxml.jackson.databind.deser.std.
> MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
> >>              at com.fasterxml.jackson.databind.deser.std.
> MapDeserializer.deserialize(MapDeserializer.java:342)
> >>              at com.fasterxml.jackson.databind.deser.std.
> MapDeserializer.deserialize(MapDeserializer.java:26)
> >>              at com.fasterxml.jackson.databind.deser.
> SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
> >>              at com.fasterxml.jackson.databind.deser.impl.
> MethodProperty.deserializeAndSet(MethodProperty.java:95)
> >>              at com.fasterxml.jackson.databind.deser.impl.
> BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
> >>              at com.fasterxml.jackson.databind.deser.BeanDeserializer.
> vanillaDeserialize(BeanDeserializer.java:248)
> >>              at com.fasterxml.jackson.databind.deser.
> BeanDeserializer.deserialize(BeanDeserializer.java:136)
> >>              at com.fasterxml.jackson.databind.ObjectReader._bind(
> ObjectReader.java:1410)
> >>              at com.fasterxml.jackson.databind.ObjectReader.
> readValue(ObjectReader.java:860)
> >>              at org.jboss.resteasy.plugins.providers.jackson.
> ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
> >>              at org.jboss.resteasy.core.interception.
> AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorConte
> xt.java:61)
> >>              at org.jboss.resteasy.core.interception.
> ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext
> .java:60)
> >>              at org.jboss.resteasy.core.interception.
> AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorConte
> xt.java:53)
> >>              at org.jboss.resteasy.security.doseta.
> DigitalVerificationInterceptor.aroundReadFrom(
> DigitalVerificationInterceptor.java:34)
> >>              at org.jboss.resteasy.core.interception.
> AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorConte
> xt.java:55)
> >>              at org.jboss.resteasy.plugins.interceptors.encoding.
> GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
> >>              at org.jboss.resteasy.core.interception.
> AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorConte
> xt.java:55)
> >>              at org.jboss.resteasy.core.MessageBodyParameterInjector.
> inject(MessageBodyParameterInjector.java:151)
> >>              ... 48 more
> >>
> >>
> >> Regards,
> >> - Niko
> >>
> >>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chairfield at gmail.com  Thu Nov  3 13:08:51 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Thu, 03 Nov 2016 17:08:51 +0000
Subject: [keycloak-user] Losing some sessions during clustering
Message-ID: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>

Hello Keycloak users,

We're seeing strange behavior with the session handling when starting up a
new node. Keycloak doesn't retain all sessions. Here's our experiment:

   1. start with 1 node containing a few dozen sessions
   2. start node 2 (nodes clustered via JGroups Ping table + infinispan)
   3. wait for 10 minutes
   4. stop node 1

End result: *some* of the clients connected are forced to log back in. Most
sessions remain.

We're still investigating, so I cannot infer beyond this point at the
moment. I'm simply curious whether anyone knows the following:

   - are *all* sessions meant to be migrated to new nodes?
   - how long does it take to migrate sessions?
   - does a new node wait until sessions are migrated before it enables the
   admin interface?
   - is there any logic to prune sessions on clustering?

Any thoughts would be greatly appreciated.

Thanks,
Chris

From bburke at redhat.com  Thu Nov  3 13:21:11 2016
From: bburke at redhat.com (Bill Burke)
Date: Thu, 3 Nov 2016 13:21:11 -0400
Subject: [keycloak-user] Exception with User Storage SPI priority
 configuration
In-Reply-To: <CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
Message-ID: <eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>

Ok, can you clarify how to reproduce this problem?  Are you creating 
storage providers through the rest interface?  Or does this problem 
surface through the admin console?


On 11/3/16 11:49 AM, Thomas Darimont wrote:
> Hello,
>
> I'm facing the same problem - could you point me to the commit that 
> fixed this in master?
>
> Cheers,
> Thomas
>
> 2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com 
> <mailto:bburke at redhat.com>>:
>
>     Its an admin console issue.  I think I fixed it in master, but I 'll
>     double check.
>
>
>     On 11/1/16 3:35 AM, Niko K?bler wrote:
>     > Hi,
>     >
>     > I just tested and investigated a bit more?
>     >
>     > When saving a UserStorageProvider, the ?priority? value is sent
>     within the config object:
>     > {
>     >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>     >    "name": "my-user-storage",
>     >    "providerId": "my-user-storage",
>     >    "providerType": "org.keycloak.storage.UserStorageProvider",
>     >    "parentId": "demo",
>     >    "config": {
>     >      "baseUrl": [
>     >        "http://localhost:9000"
>     >      ],
>     >      "basicAuthUsername": [
>     >        "admin"
>     >      ],
>     >      "basicAuthPassword": [
>     >        "secret"
>     >      ],
>     >      "priority": {
>     >        "0": "1"
>     >      }
>     >    }
>     > }
>     >
>     > In contrast to a UserFederationProvider, where the ?priority?
>     value is sent as part of the root object, not in the nested config
>     object.
>     >
>     > When adding a ?priority? config property in my
>     UserStorageProvider, it works, but it looks strange in the Admin
>     console, as there are now 2 priority fields? but it works.
>     >
>     > Additionally, this error with the priority value leads to some
>     JS error messages in the browser console when working with the
>     Admin console. These are also gone when using an own ?priority?
>     config property.
>     >
>     > I?d appreciate any feedback on this, if this is an error or
>     whatever?
>     > Thanks!
>     >
>     > Regards,
>     > - Niko
>     >
>     >
>     >
>     >> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de
>     <mailto:niko at n-k.de>>:
>     >>
>     >> Hi,
>     >>
>     >> I just implemented the User Storage SPI as replacement for our
>     User Federation SPI.
>     >>
>     >> Creating the User-Storage Provider works w/o errors, but not
>     Priority value will be saved.
>     >> When updating the Provider with a value for Priority, it will
>     fail with an exception (see below), updating the Provider without
>     setting a value for Priority works.
>     >>
>     >> Do I have to implement/configure something special to get it work?
>     >> I based my implementation on the user-storage-jpa-example,
>     provided with Keycloak.
>     >> Or is it a general error? Should a create a Jira issue for it?
>     >>
>     >>
>     >> The exception/stack trace:
>     >> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
>     (default task-31) RESTEASY002005: Failed executing PUT
>     /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce:
>     org.jboss.resteasy.spi.ReaderException:
>     com.fasterxml.jackson.databind.JsonMappingException: Can not
>     deserialize instance of java.util.ArrayList out of START_OBJECT token
>     >> at [Source:
>     io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1,
>     column: 387] (through reference chain:
>     org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>     >>              at
>     org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>     >>              at
>     org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>     >>              at
>     org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
>     >>              at
>     org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>     >>              at
>     org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>     >>              at
>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>     >>              at
>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>     >>              at
>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>     >>              at
>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>     >>              at
>     org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>     >>              at
>     org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>     >>              at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>     >>              at
>     org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>     >>              at
>     org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>     >>              at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>     >>              at
>     org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>     >>              at
>     javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>     >>              at
>     io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>     >>              at
>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>     >>              at
>     org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>     >>              at
>     io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>     >>              at
>     io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>     >>              at
>     io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>     >>              at
>     io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>     >>              at
>     io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>     >>              at
>     org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>     >>              at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     >>              at
>     io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>     >>              at
>     io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>     >>              at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     >>              at
>     io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>     >>              at
>     io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>     >>              at
>     io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>     >>              at
>     io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>     >>              at
>     io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>     >>              at
>     io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>     >>              at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     >>              at
>     org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>     >>              at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     >>              at
>     io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>     >>              at
>     io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>     >>              at
>     io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>     >>              at
>     io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>     >>              at
>     io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>     >>              at
>     io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>     >>              at
>     io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>     >>              at
>     java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>     >>              at
>     java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>     >>              at java.lang.Thread.run(Thread.java:745)
>     >> Caused by: com.fasterxml.jackson.databind.JsonMappingException:
>     Can not deserialize instance of java.util.ArrayList out of
>     START_OBJECT token
>     >> at [Source:
>     io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f; line: 1,
>     column: 387] (through reference chain:
>     org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>     >>              at
>     com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
>     >>              at
>     com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
>     >>              at
>     com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>     >>              at
>     com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>     >>              at
>     com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>     >>              at
>     com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>     >>              at
>     com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
>     >>              at
>     com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>     >>              at
>     com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>     >>              at
>     com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
>     >>              at
>     com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
>     >>              at
>     org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
>     >>              at
>     org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
>     >>              at
>     org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
>     >>              at
>     org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
>     >>              at
>     org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
>     >>              at
>     org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>     >>              at
>     org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
>     >>              at
>     org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>     >>              at
>     org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>     >>              ... 48 more
>     >>
>     >>
>     >> Regards,
>     >> - Niko
>     >>
>     >>
>     >> _______________________________________________
>     >> keycloak-user mailing list
>     >> keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From john.bartko at drillinginfo.com  Thu Nov  3 13:26:24 2016
From: john.bartko at drillinginfo.com (John Bartko)
Date: Thu, 3 Nov 2016 12:26:24 -0500
Subject: [keycloak-user] Losing some sessions during clustering
In-Reply-To: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
References: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
Message-ID: <CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>

It sounds like sessions distributed-cache is not being replicated.

>From the Install/Config documentation on cache replication
<https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.3/topics/cache/replication.html>:
"By default, Keycloak only specifies one owner for data. So if that one
node goes down that data is lost. This usually means that users will be
logged out and will have to login again."

jboss-cli snippet:
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners,
value=2)

Hope that helps,
-John Bartko

On Thu, Nov 3, 2016 at 12:08 PM, Chris Hairfield <chairfield at gmail.com>
wrote:

> Hello Keycloak users,
>
> We're seeing strange behavior with the session handling when starting up a
> new node. Keycloak doesn't retain all sessions. Here's our experiment:
>
>    1. start with 1 node containing a few dozen sessions
>    2. start node 2 (nodes clustered via JGroups Ping table + infinispan)
>    3. wait for 10 minutes
>    4. stop node 1
>
> End result: *some* of the clients connected are forced to log back in. Most
> sessions remain.
>
> We're still investigating, so I cannot infer beyond this point at the
> moment. I'm simply curious whether anyone knows the following:
>
>    - are *all* sessions meant to be migrated to new nodes?
>    - how long does it take to migrate sessions?
>    - does a new node wait until sessions are migrated before it enables the
>    admin interface?
>    - is there any logic to prune sessions on clustering?
>
> Any thoughts would be greatly appreciated.
>
> Thanks,
> Chris
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chairfield at gmail.com  Thu Nov  3 13:36:11 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Thu, 03 Nov 2016 17:36:11 +0000
Subject: [keycloak-user] Losing some sessions during clustering
In-Reply-To: <CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>
References: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
	<CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>
Message-ID: <CALr83iBCBRPtMNVMsu+HrAkfgnN8uz0cPUJa8Y5W=3N8WOfMTA@mail.gmail.com>

Many thanks, John. This seems very likely. If there's no response from our
part, you may assume it's fixed.

Cheers,
Chris

On Thu, Nov 3, 2016 at 11:26 AM John Bartko <john.bartko at drillinginfo.com>
wrote:

> It sounds like sessions distributed-cache is not being replicated.
>
> From the Install/Config documentation on cache replication
> <https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.3/topics/cache/replication.html>:
> "By default, Keycloak only specifies one owner for data. So if that one
> node goes down that data is lost. This usually means that users will be
> logged out and will have to login again."
>
> jboss-cli snippet:
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners,
> value=2)
>
> Hope that helps,
> -John Bartko
>
> On Thu, Nov 3, 2016 at 12:08 PM, Chris Hairfield <chairfield at gmail.com>
> wrote:
>
> Hello Keycloak users,
>
> We're seeing strange behavior with the session handling when starting up a
> new node. Keycloak doesn't retain all sessions. Here's our experiment:
>
>    1. start with 1 node containing a few dozen sessions
>    2. start node 2 (nodes clustered via JGroups Ping table + infinispan)
>    3. wait for 10 minutes
>    4. stop node 1
>
> End result: *some* of the clients connected are forced to log back in. Most
>
>
> sessions remain.
>
> We're still investigating, so I cannot infer beyond this point at the
> moment. I'm simply curious whether anyone knows the following:
>
>    - are *all* sessions meant to be migrated to new nodes?
>    - how long does it take to migrate sessions?
>    - does a new node wait until sessions are migrated before it enables the
>    admin interface?
>    - is there any logic to prune sessions on clustering?
>
>
>
> Any thoughts would be greatly appreciated.
>
> Thanks,
> Chris
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From predmijat at gmail.com  Thu Nov  3 14:03:06 2016
From: predmijat at gmail.com (Predrag Mijatovic)
Date: Thu, 3 Nov 2016 19:03:06 +0100
Subject: [keycloak-user] Few questions about production deployment
Message-ID: <3AFB10CF-C262-4A30-B86F-0E2D9DC524BB@gmail.com>

Hi,

I've successfully deployed Keycloak in Standalone mode. Now I need to deploy it in production, meaning I need more resilience.

I've read in the documentation that Domain Clustered Mode requires network multicast, which is not available in AWS. I've also read that there are ways to circumvent this (didn't found a guide where someone actually explains the whole process though), but I'm not so sure that it would be good approach - I don't want to introduce more complexity.

What is the best approach here? Should I insist on Domain Clustered Mode in AWS (can you provide guides where it's explained how to achieve that)? Or, is it possible to create a setup with multiple Standalone deployments, with some kind of a load balancer in front of them?

Thanks,
Predrag

From thomas.darimont at googlemail.com  Thu Nov  3 14:18:36 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 3 Nov 2016 19:18:36 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
	configuration
In-Reply-To: <eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
Message-ID: <CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>

Hello,

I could reproduce this with the "user-storage-jpa-example" from
examples/provider in the keycloak repository.

I installed the provider via: mvn clean install wildfly:deploy
Then I created a new provider instance for "example-user-storage-jpa" in
the admin-console / User Federation

In the create screen the "priority" field is populated with "0". After
saving the priority field is empty.
If one now tries to set a priority one sees an error message: *Error!* An
unexpected server error has occurred

The server console now shows the stacktrace mentioned by Niko.

Cheers,
Thomas

2016-11-03 18:21 GMT+01:00 Bill Burke <bburke at redhat.com>:

> Ok, can you clarify how to reproduce this problem?  Are you creating
> storage providers through the rest interface?  Or does this problem surface
> through the admin console?
>
> On 11/3/16 11:49 AM, Thomas Darimont wrote:
>
> Hello,
>
> I'm facing the same problem - could you point me to the commit that fixed
> this in master?
>
> Cheers,
> Thomas
>
> 2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com>:
>
>> Its an admin console issue.  I think I fixed it in master, but I 'll
>> double check.
>>
>>
>> On 11/1/16 3:35 AM, Niko K?bler wrote:
>> > Hi,
>> >
>> > I just tested and investigated a bit more?
>> >
>> > When saving a UserStorageProvider, the ?priority? value is sent within
>> the config object:
>> > {
>> >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>> >    "name": "my-user-storage",
>> >    "providerId": "my-user-storage",
>> >    "providerType": "org.keycloak.storage.UserStorageProvider",
>> >    "parentId": "demo",
>> >    "config": {
>> >      "baseUrl": [
>> >        "http://localhost:9000"
>> >      ],
>> >      "basicAuthUsername": [
>> >        "admin"
>> >      ],
>> >      "basicAuthPassword": [
>> >        "secret"
>> >      ],
>> >      "priority": {
>> >        "0": "1"
>> >      }
>> >    }
>> > }
>> >
>> > In contrast to a UserFederationProvider, where the ?priority? value is
>> sent as part of the root object, not in the nested config object.
>> >
>> > When adding a ?priority? config property in my UserStorageProvider, it
>> works, but it looks strange in the Admin console, as there are now 2
>> priority fields? but it works.
>> >
>> > Additionally, this error with the priority value leads to some JS error
>> messages in the browser console when working with the Admin console. These
>> are also gone when using an own ?priority? config property.
>> >
>> > I?d appreciate any feedback on this, if this is an error or whatever?
>> > Thanks!
>> >
>> > Regards,
>> > - Niko
>> >
>> >
>> >
>> >> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
>> >>
>> >> Hi,
>> >>
>> >> I just implemented the User Storage SPI as replacement for our User
>> Federation SPI.
>> >>
>> >> Creating the User-Storage Provider works w/o errors, but not Priority
>> value will be saved.
>> >> When updating the Provider with a value for Priority, it will fail
>> with an exception (see below), updating the Provider without setting a
>> value for Priority works.
>> >>
>> >> Do I have to implement/configure something special to get it work?
>> >> I based my implementation on the user-storage-jpa-example, provided
>> with Keycloak.
>> >> Or is it a general error? Should a create a Jira issue for it?
>> >>
>> >>
>> >> The exception/stack trace:
>> >> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
>> task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/componen
>> ts/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException:
>> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
>> instance of java.util.ArrayList out of START_OBJECT token
>> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>> line: 1, column: 387] (through reference chain:
>> org.keycloak.representations.idm.ComponentRepresentation["co
>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>> >>              at org.jboss.resteasy.core.Messag
>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>> >>              at org.jboss.resteasy.core.Method
>> InjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>> >>              at org.jboss.resteasy.core.Method
>> InjectorImpl.invoke(MethodInjectorImpl.java:114)
>> >>              at org.jboss.resteasy.core.Resour
>> ceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>> >>              at org.jboss.resteasy.core.Resour
>> ceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>> >>              at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> >>              at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>> >>              at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>> >>              at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>> >>              at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>> >>              at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>> >>              at org.jboss.resteasy.core.Synchr
>> onousDispatcher.invoke(SynchronousDispatcher.java:395)
>> >>              at org.jboss.resteasy.core.Synchr
>> onousDispatcher.invoke(SynchronousDispatcher.java:202)
>> >>              at org.jboss.resteasy.plugins.ser
>> ver.servlet.ServletContainerDispatcher.service(ServletContai
>> nerDispatcher.java:221)
>> >>              at org.jboss.resteasy.plugins.ser
>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> >>              at org.jboss.resteasy.plugins.ser
>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> >>              at javax.servlet.http.HttpServlet
>> .service(HttpServlet.java:790)
>> >>              at io.undertow.servlet.handlers.S
>> ervletHandler.handleRequest(ServletHandler.java:85)
>> >>              at io.undertow.servlet.handlers.F
>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> >>              at org.keycloak.services.filters.
>> KeycloakSessionServletFilter.doFilter(KeycloakSessionServlet
>> Filter.java:90)
>> >>              at io.undertow.servlet.core.Manag
>> edFilter.doFilter(ManagedFilter.java:60)
>> >>              at io.undertow.servlet.handlers.F
>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> >>              at io.undertow.servlet.handlers.F
>> ilterHandler.handleRequest(FilterHandler.java:84)
>> >>              at io.undertow.servlet.handlers.s
>> ecurity.ServletSecurityRoleHandler.handleRequest(ServletSecu
>> rityRoleHandler.java:62)
>> >>              at io.undertow.servlet.handlers.S
>> ervletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> >>              at org.wildfly.extension.undertow
>> .security.SecurityContextAssociationHandler.handleRequest(Se
>> curityContextAssociationHandler.java:78)
>> >>              at io.undertow.server.handlers.Pr
>> edicateHandler.handleRequest(PredicateHandler.java:43)
>> >>              at io.undertow.servlet.handlers.s
>> ecurity.SSLInformationAssociationHandler.handleRequest(SSLIn
>> formationAssociationHandler.java:131)
>> >>              at io.undertow.servlet.handlers.s
>> ecurity.ServletAuthenticationCallHandler.handleRequest(Servl
>> etAuthenticationCallHandler.java:57)
>> >>              at io.undertow.server.handlers.Pr
>> edicateHandler.handleRequest(PredicateHandler.java:43)
>> >>              at io.undertow.security.handlers.
>> AbstractConfidentialityHandler.handleRequest(AbstractConfide
>> ntialityHandler.java:46)
>> >>              at io.undertow.servlet.handlers.s
>> ecurity.ServletConfidentialityConstraintHandler.
>> handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> >>              at io.undertow.security.handlers.
>> AuthenticationMechanismsHandler.handleRequest(Authentication
>> MechanismsHandler.java:60)
>> >>              at io.undertow.servlet.handlers.s
>> ecurity.CachedAuthenticatedSessionHandler.handleRequest(Cach
>> edAuthenticatedSessionHandler.java:77)
>> >>              at io.undertow.security.handlers.
>> NotificationReceiverHandler.handleRequest(NotificationReceiv
>> erHandler.java:50)
>> >>              at io.undertow.security.handlers.
>> AbstractSecurityContextAssociationHandler.handleRequest(Abst
>> ractSecurityContextAssociationHandler.java:43)
>> >>              at io.undertow.server.handlers.Pr
>> edicateHandler.handleRequest(PredicateHandler.java:43)
>> >>              at org.wildfly.extension.undertow
>> .security.jacc.JACCContextIdHandler.handleRequest(JACCContex
>> tIdHandler.java:61)
>> >>              at io.undertow.server.handlers.Pr
>> edicateHandler.handleRequest(PredicateHandler.java:43)
>> >>              at io.undertow.server.handlers.Pr
>> edicateHandler.handleRequest(PredicateHandler.java:43)
>> >>              at io.undertow.servlet.handlers.S
>> ervletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>> >>              at io.undertow.servlet.handlers.S
>> ervletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>> >>              at io.undertow.servlet.handlers.S
>> ervletInitialHandler.access$000(ServletInitialHandler.java:81)
>> >>              at io.undertow.servlet.handlers.S
>> ervletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>> >>              at io.undertow.server.Connectors.
>> executeRootHandler(Connectors.java:202)
>> >>              at io.undertow.server.HttpServerE
>> xchange$1.run(HttpServerExchange.java:793)
>> >>              at java.util.concurrent.ThreadPoo
>> lExecutor.runWorker(ThreadPoolExecutor.java:1142)
>> >>              at java.util.concurrent.ThreadPoo
>> lExecutor$Worker.run(ThreadPoolExecutor.java:617)
>> >>              at java.lang.Thread.run(Thread.java:745)
>> >> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can
>> not deserialize instance of java.util.ArrayList out of START_OBJECT token
>> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>> line: 1, column: 387] (through reference chain:
>> org.keycloak.representations.idm.ComponentRepresentation["co
>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>> >>              at com.fasterxml.jackson.databind
>> .JsonMappingException.from(JsonMappingException.java:148)
>> >>              at com.fasterxml.jackson.databind
>> .DeserializationContext.mappingException(DeserializationContext.java:835)
>> >>              at com.fasterxml.jackson.databind
>> .DeserializationContext.mappingException(DeserializationContext.java:831)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.StringCollectionDeserializer.handleNonArray(Strin
>> gCollectionDeserializer.java:240)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>> llectionDeserializer.java:171)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>> llectionDeserializer.java:161)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>> llectionDeserializer.java:19)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.MapDeserializer._readAndBindStringMap(MapDeserial
>> izer.java:485)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>> >>              at com.fasterxml.jackson.databind
>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>> >>              at com.fasterxml.jackson.databind.
>> deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>> >>              at com.fasterxml.jackson.databind
>> .deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>> >>              at com.fasterxml.jackson.databind.
>> deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanProper
>> tyMap.java:285)
>> >>              at com.fasterxml.jackson.databind
>> .deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>> >>              at com.fasterxml.jackson.databind.deser.BeanDeserializer.
>> deserialize(BeanDeserializer.java:136)
>> >>              at com.fasterxml.jackson.databind
>> .ObjectReader._bind(ObjectReader.java:1410)
>> >>              at com.fasterxml.jackson.databind.ObjectReader.readValue(
>> ObjectReader.java:860)
>> >>              at org.jboss.resteasy.plugins.pro
>> viders.jackson.ResteasyJackson2Provider.readFrom(ResteasyJac
>> kson2Provider.java:121)
>> >>              at org.jboss.resteasy.core.interc
>> eption.AbstractReaderInterceptorContext.readFrom(AbstractRea
>> derInterceptorContext.java:61)
>> >>              at org.jboss.resteasy.core.interc
>> eption.ServerReaderInterceptorContext.readFrom(ServerReaderI
>> nterceptorContext.java:60)
>> >>              at org.jboss.resteasy.core.interc
>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>> erInterceptorContext.java:53)
>> >>              at org.jboss.resteasy.security.do
>> seta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVe
>> rificationInterceptor.java:34)
>> >>              at org.jboss.resteasy.core.interc
>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>> erInterceptorContext.java:55)
>> >>              at org.jboss.resteasy.plugins.int
>> erceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZ
>> IPDecodingInterceptor.java:59)
>> >>              at org.jboss.resteasy.core.interc
>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>> erInterceptorContext.java:55)
>> >>              at org.jboss.resteasy.core.Messag
>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>> >>              ... 48 more
>> >>
>> >>
>> >> Regards,
>> >> - Niko
>> >>
>> >>
>> >> _______________________________________________
>> >> keycloak-user mailing list
>> >> keycloak-user at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From thomas.darimont at googlemail.com  Thu Nov  3 14:22:17 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 3 Nov 2016 19:22:17 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
	configuration
In-Reply-To: <CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
	<CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
Message-ID: <CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>

... FYI this is with keycloak-2.3.0.Final

2016-11-03 19:18 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> Hello,
>
> I could reproduce this with the "user-storage-jpa-example" from
> examples/provider in the keycloak repository.
>
> I installed the provider via: mvn clean install wildfly:deploy
> Then I created a new provider instance for "example-user-storage-jpa" in
> the admin-console / User Federation
>
> In the create screen the "priority" field is populated with "0". After
> saving the priority field is empty.
> If one now tries to set a priority one sees an error message: *Error!* An
> unexpected server error has occurred
>
> The server console now shows the stacktrace mentioned by Niko.
>
> Cheers,
> Thomas
>
> 2016-11-03 18:21 GMT+01:00 Bill Burke <bburke at redhat.com>:
>
>> Ok, can you clarify how to reproduce this problem?  Are you creating
>> storage providers through the rest interface?  Or does this problem surface
>> through the admin console?
>>
>> On 11/3/16 11:49 AM, Thomas Darimont wrote:
>>
>> Hello,
>>
>> I'm facing the same problem - could you point me to the commit that fixed
>> this in master?
>>
>> Cheers,
>> Thomas
>>
>> 2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com>:
>>
>>> Its an admin console issue.  I think I fixed it in master, but I 'll
>>> double check.
>>>
>>>
>>> On 11/1/16 3:35 AM, Niko K?bler wrote:
>>> > Hi,
>>> >
>>> > I just tested and investigated a bit more?
>>> >
>>> > When saving a UserStorageProvider, the ?priority? value is sent within
>>> the config object:
>>> > {
>>> >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>>> >    "name": "my-user-storage",
>>> >    "providerId": "my-user-storage",
>>> >    "providerType": "org.keycloak.storage.UserStorageProvider",
>>> >    "parentId": "demo",
>>> >    "config": {
>>> >      "baseUrl": [
>>> >        "http://localhost:9000"
>>> >      ],
>>> >      "basicAuthUsername": [
>>> >        "admin"
>>> >      ],
>>> >      "basicAuthPassword": [
>>> >        "secret"
>>> >      ],
>>> >      "priority": {
>>> >        "0": "1"
>>> >      }
>>> >    }
>>> > }
>>> >
>>> > In contrast to a UserFederationProvider, where the ?priority? value is
>>> sent as part of the root object, not in the nested config object.
>>> >
>>> > When adding a ?priority? config property in my UserStorageProvider, it
>>> works, but it looks strange in the Admin console, as there are now 2
>>> priority fields? but it works.
>>> >
>>> > Additionally, this error with the priority value leads to some JS
>>> error messages in the browser console when working with the Admin console.
>>> These are also gone when using an own ?priority? config property.
>>> >
>>> > I?d appreciate any feedback on this, if this is an error or whatever?
>>> > Thanks!
>>> >
>>> > Regards,
>>> > - Niko
>>> >
>>> >
>>> >
>>> >> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
>>> >>
>>> >> Hi,
>>> >>
>>> >> I just implemented the User Storage SPI as replacement for our User
>>> Federation SPI.
>>> >>
>>> >> Creating the User-Storage Provider works w/o errors, but not Priority
>>> value will be saved.
>>> >> When updating the Provider with a value for Priority, it will fail
>>> with an exception (see below), updating the Provider without setting a
>>> value for Priority works.
>>> >>
>>> >> Do I have to implement/configure something special to get it work?
>>> >> I based my implementation on the user-storage-jpa-example, provided
>>> with Keycloak.
>>> >> Or is it a general error? Should a create a Jira issue for it?
>>> >>
>>> >>
>>> >> The exception/stack trace:
>>> >> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
>>> task-31) RESTEASY002005: Failed executing PUT /admin/realms/connect/componen
>>> ts/320db9e2-6c40-4eb5-868e-95717be36fce: org.jboss.resteasy.spi.ReaderException:
>>> com.fasterxml.jackson.databind.JsonMappingException: Can not
>>> deserialize instance of java.util.ArrayList out of START_OBJECT token
>>> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>>> line: 1, column: 387] (through reference chain:
>>> org.keycloak.representations.idm.ComponentRepresentation["co
>>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>> >>              at org.jboss.resteasy.core.Messag
>>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>>> >>              at org.jboss.resteasy.core.Method
>>> InjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>>> >>              at org.jboss.resteasy.core.Method
>>> InjectorImpl.invoke(MethodInjectorImpl.java:114)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>> >>              at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>> >>              at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(SynchronousDispatcher.java:395)
>>> >>              at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(SynchronousDispatcher.java:202)
>>> >>              at org.jboss.resteasy.plugins.ser
>>> ver.servlet.ServletContainerDispatcher.service(ServletContai
>>> nerDispatcher.java:221)
>>> >>              at org.jboss.resteasy.plugins.ser
>>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> >>              at org.jboss.resteasy.plugins.ser
>>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> >>              at javax.servlet.http.HttpServlet
>>> .service(HttpServlet.java:790)
>>> >>              at io.undertow.servlet.handlers.S
>>> ervletHandler.handleRequest(ServletHandler.java:85)
>>> >>              at io.undertow.servlet.handlers.F
>>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> >>              at org.keycloak.services.filters.
>>> KeycloakSessionServletFilter.doFilter(KeycloakSessionServlet
>>> Filter.java:90)
>>> >>              at io.undertow.servlet.core.Manag
>>> edFilter.doFilter(ManagedFilter.java:60)
>>> >>              at io.undertow.servlet.handlers.F
>>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> >>              at io.undertow.servlet.handlers.F
>>> ilterHandler.handleRequest(FilterHandler.java:84)
>>> >>              at io.undertow.servlet.handlers.s
>>> ecurity.ServletSecurityRoleHandler.handleRequest(ServletSecu
>>> rityRoleHandler.java:62)
>>> >>              at io.undertow.servlet.handlers.S
>>> ervletDispatchingHandler.handleRequest(ServletDispatchingHan
>>> dler.java:36)
>>> >>              at org.wildfly.extension.undertow
>>> .security.SecurityContextAssociationHandler.handleRequest(Se
>>> curityContextAssociationHandler.java:78)
>>> >>              at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>> >>              at io.undertow.servlet.handlers.s
>>> ecurity.SSLInformationAssociationHandler.handleRequest(SSLIn
>>> formationAssociationHandler.java:131)
>>> >>              at io.undertow.servlet.handlers.s
>>> ecurity.ServletAuthenticationCallHandler.handleRequest(Servl
>>> etAuthenticationCallHandler.java:57)
>>> >>              at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>> >>              at io.undertow.security.handlers.
>>> AbstractConfidentialityHandler.handleRequest(AbstractConfide
>>> ntialityHandler.java:46)
>>> >>              at io.undertow.servlet.handlers.s
>>> ecurity.ServletConfidentialityConstraintHandler.handleReques
>>> t(ServletConfidentialityConstraintHandler.java:64)
>>> >>              at io.undertow.security.handlers.
>>> AuthenticationMechanismsHandler.handleRequest(Authentication
>>> MechanismsHandler.java:60)
>>> >>              at io.undertow.servlet.handlers.s
>>> ecurity.CachedAuthenticatedSessionHandler.handleRequest(Cach
>>> edAuthenticatedSessionHandler.java:77)
>>> >>              at io.undertow.security.handlers.
>>> NotificationReceiverHandler.handleRequest(NotificationReceiv
>>> erHandler.java:50)
>>> >>              at io.undertow.security.handlers.
>>> AbstractSecurityContextAssociationHandler.handleRequest(Abst
>>> ractSecurityContextAssociationHandler.java:43)
>>> >>              at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>> >>              at org.wildfly.extension.undertow
>>> .security.jacc.JACCContextIdHandler.handleRequest(JACCContex
>>> tIdHandler.java:61)
>>> >>              at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>> >>              at io.undertow.server.handlers.Pr
>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>> >>              at io.undertow.servlet.handlers.S
>>> ervletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>> >>              at io.undertow.servlet.handlers.S
>>> ervletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>> >>              at io.undertow.servlet.handlers.S
>>> ervletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> >>              at io.undertow.servlet.handlers.S
>>> ervletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>> >>              at io.undertow.server.Connectors.
>>> executeRootHandler(Connectors.java:202)
>>> >>              at io.undertow.server.HttpServerE
>>> xchange$1.run(HttpServerExchange.java:793)
>>> >>              at java.util.concurrent.ThreadPoo
>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>> >>              at java.util.concurrent.ThreadPoo
>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>> >>              at java.lang.Thread.run(Thread.java:745)
>>> >> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can
>>> not deserialize instance of java.util.ArrayList out of START_OBJECT token
>>> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>>> line: 1, column: 387] (through reference chain:
>>> org.keycloak.representations.idm.ComponentRepresentation["co
>>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>> >>              at com.fasterxml.jackson.databind
>>> .JsonMappingException.from(JsonMappingException.java:148)
>>> >>              at com.fasterxml.jackson.databind
>>> .DeserializationContext.mappingException(DeserializationCont
>>> ext.java:835)
>>> >>              at com.fasterxml.jackson.databind
>>> .DeserializationContext.mappingException(DeserializationCont
>>> ext.java:831)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.StringCollectionDeserializer.handleNonArray(Strin
>>> gCollectionDeserializer.java:240)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>> llectionDeserializer.java:171)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>> llectionDeserializer.java:161)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>> llectionDeserializer.java:19)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.MapDeserializer._readAndBindStringMap(MapDeserial
>>> izer.java:485)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>>> >>              at com.fasterxml.jackson.databind.
>>> deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>>> >>              at com.fasterxml.jackson.databind.
>>> deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanProper
>>> tyMap.java:285)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>>> >>              at com.fasterxml.jackson.databind
>>> .deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>>> >>              at com.fasterxml.jackson.databind
>>> .ObjectReader._bind(ObjectReader.java:1410)
>>> >>              at com.fasterxml.jackson.databind
>>> .ObjectReader.readValue(ObjectReader.java:860)
>>> >>              at org.jboss.resteasy.plugins.pro
>>> viders.jackson.ResteasyJackson2Provider.readFrom(ResteasyJac
>>> kson2Provider.java:121)
>>> >>              at org.jboss.resteasy.core.interc
>>> eption.AbstractReaderInterceptorContext.readFrom(AbstractRea
>>> derInterceptorContext.java:61)
>>> >>              at org.jboss.resteasy.core.interc
>>> eption.ServerReaderInterceptorContext.readFrom(ServerReaderI
>>> nterceptorContext.java:60)
>>> >>              at org.jboss.resteasy.core.interc
>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>> erInterceptorContext.java:53)
>>> >>              at org.jboss.resteasy.security.do
>>> seta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVe
>>> rificationInterceptor.java:34)
>>> >>              at org.jboss.resteasy.core.interc
>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>> erInterceptorContext.java:55)
>>> >>              at org.jboss.resteasy.plugins.int
>>> erceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZ
>>> IPDecodingInterceptor.java:59)
>>> >>              at org.jboss.resteasy.core.interc
>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>> erInterceptorContext.java:55)
>>> >>              at org.jboss.resteasy.core.Messag
>>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>>> >>              ... 48 more
>>> >>
>>> >>
>>> >> Regards,
>>> >> - Niko
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> keycloak-user mailing list
>>> >> keycloak-user at lists.jboss.org
>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>

From thomas.darimont at googlemail.com  Thu Nov  3 14:34:55 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 3 Nov 2016 19:34:55 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
	configuration
In-Reply-To: <CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
	<CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
	<CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>
Message-ID: <CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>

... if I build a new server-distribution from current master (c3f3c5c) via:

  mvn clean install -DskipTests -T 2.0C -pl :keycloak-server-dist -am -P
distribution

and install the "user-storage-jpa-example" UserStorage provider and try to
save.
I see a similar exception, but this time JSON deserialization failures with
the field "config" - which is probably related
to the error discussed above.

Admin-Console sends the following JSON to the
http://localhost:8080/auth/admin/realms/federation-test/components endpoint

{
  "name":"example-user-storage-jpa",
  "providerId":"example-user-storage-jpa",
  "providerType":"org.keycloak.storage.UserStorageProvider",
  "parentId":"federation-test",
  "config":{
    "priority":[
      "0"
    ],
    "cachePolicy":{
      "0":"DEFAULT"
    },
    "evictionHour":{
      "0":"0"
    },
    "evictionMinute":{
      "0":"0"
    }
  }
}

Cheers,
Thomas

19:28:58,684 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-116) RESTEASY002005: Failed executing POST
/admin/realms/federation-test/components:
org.jboss.resteasy.spi.ReaderException:
com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
instance of java.util.ArrayList out of START_OBJECT token
 at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1454aeb7;
line: 1, column: 189] (through reference chain:
org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["cachePolicy"])
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
at
org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not
deserialize instance of java.util.ArrayList out of START_OBJECT token
 at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1454aeb7;
line: 1, column: 189] (through reference chain:
org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["cachePolicy"])
at
com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
at
com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
at
com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
at
com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
at
com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
at
com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
at
com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
at
com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
at
com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
at
com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
at
com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
at com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
at
com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
at
org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
at
org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
at
org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
at
org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
at
org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
at
org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
... 48 more



2016-11-03 19:22 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> ... FYI this is with keycloak-2.3.0.Final
>
> 2016-11-03 19:18 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com
> >:
>
>> Hello,
>>
>> I could reproduce this with the "user-storage-jpa-example" from
>> examples/provider in the keycloak repository.
>>
>> I installed the provider via: mvn clean install wildfly:deploy
>> Then I created a new provider instance for "example-user-storage-jpa" in
>> the admin-console / User Federation
>>
>> In the create screen the "priority" field is populated with "0". After
>> saving the priority field is empty.
>> If one now tries to set a priority one sees an error message: *Error!* An
>> unexpected server error has occurred
>>
>> The server console now shows the stacktrace mentioned by Niko.
>>
>> Cheers,
>> Thomas
>>
>> 2016-11-03 18:21 GMT+01:00 Bill Burke <bburke at redhat.com>:
>>
>>> Ok, can you clarify how to reproduce this problem?  Are you creating
>>> storage providers through the rest interface?  Or does this problem surface
>>> through the admin console?
>>>
>>> On 11/3/16 11:49 AM, Thomas Darimont wrote:
>>>
>>> Hello,
>>>
>>> I'm facing the same problem - could you point me to the commit that
>>> fixed this in master?
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com>:
>>>
>>>> Its an admin console issue.  I think I fixed it in master, but I 'll
>>>> double check.
>>>>
>>>>
>>>> On 11/1/16 3:35 AM, Niko K?bler wrote:
>>>> > Hi,
>>>> >
>>>> > I just tested and investigated a bit more?
>>>> >
>>>> > When saving a UserStorageProvider, the ?priority? value is sent
>>>> within the config object:
>>>> > {
>>>> >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>>>> >    "name": "my-user-storage",
>>>> >    "providerId": "my-user-storage",
>>>> >    "providerType": "org.keycloak.storage.UserStorageProvider",
>>>> >    "parentId": "demo",
>>>> >    "config": {
>>>> >      "baseUrl": [
>>>> >        "http://localhost:9000"
>>>> >      ],
>>>> >      "basicAuthUsername": [
>>>> >        "admin"
>>>> >      ],
>>>> >      "basicAuthPassword": [
>>>> >        "secret"
>>>> >      ],
>>>> >      "priority": {
>>>> >        "0": "1"
>>>> >      }
>>>> >    }
>>>> > }
>>>> >
>>>> > In contrast to a UserFederationProvider, where the ?priority? value
>>>> is sent as part of the root object, not in the nested config object.
>>>> >
>>>> > When adding a ?priority? config property in my UserStorageProvider,
>>>> it works, but it looks strange in the Admin console, as there are now 2
>>>> priority fields? but it works.
>>>> >
>>>> > Additionally, this error with the priority value leads to some JS
>>>> error messages in the browser console when working with the Admin console.
>>>> These are also gone when using an own ?priority? config property.
>>>> >
>>>> > I?d appreciate any feedback on this, if this is an error or whatever?
>>>> > Thanks!
>>>> >
>>>> > Regards,
>>>> > - Niko
>>>> >
>>>> >
>>>> >
>>>> >> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
>>>> >>
>>>> >> Hi,
>>>> >>
>>>> >> I just implemented the User Storage SPI as replacement for our User
>>>> Federation SPI.
>>>> >>
>>>> >> Creating the User-Storage Provider works w/o errors, but not
>>>> Priority value will be saved.
>>>> >> When updating the Provider with a value for Priority, it will fail
>>>> with an exception (see below), updating the Provider without setting a
>>>> value for Priority works.
>>>> >>
>>>> >> Do I have to implement/configure something special to get it work?
>>>> >> I based my implementation on the user-storage-jpa-example, provided
>>>> with Keycloak.
>>>> >> Or is it a general error? Should a create a Jira issue for it?
>>>> >>
>>>> >>
>>>> >> The exception/stack trace:
>>>> >> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>> (default task-31) RESTEASY002005: Failed executing PUT
>>>> /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce:
>>>> org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException:
>>>> Can not deserialize instance of java.util.ArrayList out of START_OBJECT
>>>> token
>>>> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>>>> line: 1, column: 387] (through reference chain:
>>>> org.keycloak.representations.idm.ComponentRepresentation["co
>>>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>>> >>              at org.jboss.resteasy.core.Messag
>>>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>>>> >>              at org.jboss.resteasy.core.Method
>>>> InjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>>>> >>              at org.jboss.resteasy.core.Method
>>>> InjectorImpl.invoke(MethodInjectorImpl.java:114)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>> >>              at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>> >>              at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>> >>              at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>> >>              at org.jboss.resteasy.plugins.ser
>>>> ver.servlet.ServletContainerDispatcher.service(ServletContai
>>>> nerDispatcher.java:221)
>>>> >>              at org.jboss.resteasy.plugins.ser
>>>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatc
>>>> her.java:56)
>>>> >>              at org.jboss.resteasy.plugins.ser
>>>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatc
>>>> her.java:51)
>>>> >>              at javax.servlet.http.HttpServlet
>>>> .service(HttpServlet.java:790)
>>>> >>              at io.undertow.servlet.handlers.S
>>>> ervletHandler.handleRequest(ServletHandler.java:85)
>>>> >>              at io.undertow.servlet.handlers.F
>>>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> >>              at org.keycloak.services.filters.
>>>> KeycloakSessionServletFilter.doFilter(KeycloakSessionServlet
>>>> Filter.java:90)
>>>> >>              at io.undertow.servlet.core.Manag
>>>> edFilter.doFilter(ManagedFilter.java:60)
>>>> >>              at io.undertow.servlet.handlers.F
>>>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> >>              at io.undertow.servlet.handlers.F
>>>> ilterHandler.handleRequest(FilterHandler.java:84)
>>>> >>              at io.undertow.servlet.handlers.s
>>>> ecurity.ServletSecurityRoleHandler.handleRequest(ServletSecu
>>>> rityRoleHandler.java:62)
>>>> >>              at io.undertow.servlet.handlers.S
>>>> ervletDispatchingHandler.handleRequest(ServletDispatchingHan
>>>> dler.java:36)
>>>> >>              at org.wildfly.extension.undertow
>>>> .security.SecurityContextAssociationHandler.handleRequest(Se
>>>> curityContextAssociationHandler.java:78)
>>>> >>              at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >>              at io.undertow.servlet.handlers.s
>>>> ecurity.SSLInformationAssociationHandler.handleRequest(SSLIn
>>>> formationAssociationHandler.java:131)
>>>> >>              at io.undertow.servlet.handlers.s
>>>> ecurity.ServletAuthenticationCallHandler.handleRequest(Servl
>>>> etAuthenticationCallHandler.java:57)
>>>> >>              at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >>              at io.undertow.security.handlers.
>>>> AbstractConfidentialityHandler.handleRequest(AbstractConfide
>>>> ntialityHandler.java:46)
>>>> >>              at io.undertow.servlet.handlers.s
>>>> ecurity.ServletConfidentialityConstraintHandler.handleReques
>>>> t(ServletConfidentialityConstraintHandler.java:64)
>>>> >>              at io.undertow.security.handlers.
>>>> AuthenticationMechanismsHandler.handleRequest(Authentication
>>>> MechanismsHandler.java:60)
>>>> >>              at io.undertow.servlet.handlers.s
>>>> ecurity.CachedAuthenticatedSessionHandler.handleRequest(Cach
>>>> edAuthenticatedSessionHandler.java:77)
>>>> >>              at io.undertow.security.handlers.
>>>> NotificationReceiverHandler.handleRequest(NotificationReceiv
>>>> erHandler.java:50)
>>>> >>              at io.undertow.security.handlers.
>>>> AbstractSecurityContextAssociationHandler.handleRequest(Abst
>>>> ractSecurityContextAssociationHandler.java:43)
>>>> >>              at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >>              at org.wildfly.extension.undertow
>>>> .security.jacc.JACCContextIdHandler.handleRequest(JACCContex
>>>> tIdHandler.java:61)
>>>> >>              at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >>              at io.undertow.server.handlers.Pr
>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>> >>              at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>>> >>              at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>> >>              at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> >>              at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>> >>              at io.undertow.server.Connectors.
>>>> executeRootHandler(Connectors.java:202)
>>>> >>              at io.undertow.server.HttpServerE
>>>> xchange$1.run(HttpServerExchange.java:793)
>>>> >>              at java.util.concurrent.ThreadPoo
>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>> >>              at java.util.concurrent.ThreadPoo
>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>> >>              at java.lang.Thread.run(Thread.java:745)
>>>> >> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can
>>>> not deserialize instance of java.util.ArrayList out of START_OBJECT token
>>>> >> at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>>>> line: 1, column: 387] (through reference chain:
>>>> org.keycloak.representations.idm.ComponentRepresentation["co
>>>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>>> >>              at com.fasterxml.jackson.databind
>>>> .JsonMappingException.from(JsonMappingException.java:148)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .DeserializationContext.mappingException(DeserializationCont
>>>> ext.java:835)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .DeserializationContext.mappingException(DeserializationCont
>>>> ext.java:831)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.StringCollectionDeserializer.handleNonArray(Strin
>>>> gCollectionDeserializer.java:240)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>>> llectionDeserializer.java:171)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>>> llectionDeserializer.java:161)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>>> llectionDeserializer.java:19)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.MapDeserializer._readAndBindStringMap(MapDeserial
>>>> izer.java:485)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>>>> >>              at com.fasterxml.jackson.databind.
>>>> deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>>>> >>              at com.fasterxml.jackson.databind.
>>>> deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanProper
>>>> tyMap.java:285)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .ObjectReader._bind(ObjectReader.java:1410)
>>>> >>              at com.fasterxml.jackson.databind
>>>> .ObjectReader.readValue(ObjectReader.java:860)
>>>> >>              at org.jboss.resteasy.plugins.pro
>>>> viders.jackson.ResteasyJackson2Provider.readFrom(ResteasyJac
>>>> kson2Provider.java:121)
>>>> >>              at org.jboss.resteasy.core.interc
>>>> eption.AbstractReaderInterceptorContext.readFrom(AbstractRea
>>>> derInterceptorContext.java:61)
>>>> >>              at org.jboss.resteasy.core.interc
>>>> eption.ServerReaderInterceptorContext.readFrom(ServerReaderI
>>>> nterceptorContext.java:60)
>>>> >>              at org.jboss.resteasy.core.interc
>>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>>> erInterceptorContext.java:53)
>>>> >>              at org.jboss.resteasy.security.do
>>>> seta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVe
>>>> rificationInterceptor.java:34)
>>>> >>              at org.jboss.resteasy.core.interc
>>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>>> erInterceptorContext.java:55)
>>>> >>              at org.jboss.resteasy.plugins.int
>>>> erceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZ
>>>> IPDecodingInterceptor.java:59)
>>>> >>              at org.jboss.resteasy.core.interc
>>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>>> erInterceptorContext.java:55)
>>>> >>              at org.jboss.resteasy.core.Messag
>>>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>>>> >>              ... 48 more
>>>> >>
>>>> >>
>>>> >> Regards,
>>>> >> - Niko
>>>> >>
>>>> >>
>>>> >> _______________________________________________
>>>> >> keycloak-user mailing list
>>>> >> keycloak-user at lists.jboss.org
>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>>
>>
>

From thomas.darimont at googlemail.com  Thu Nov  3 14:40:59 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 3 Nov 2016 19:40:59 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
	configuration
In-Reply-To: <CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
	<CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
	<CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>
	<CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>
Message-ID: <CAK-7U1i9u3bG-ir_N-try6RTdonGu7=eAm6dbnUaNfp93uq82Q@mail.gmail.com>

btw. just noticed.. switching back and forth between Identity Providers and
User Federation results in duplicate entries in the federation provider
list (ldap, and kerberos are repeated for every switch...)

2016-11-03 19:34 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com>:

> ... if I build a new server-distribution from current master (c3f3c5c) via:
>
>   mvn clean install -DskipTests -T 2.0C -pl :keycloak-server-dist -am -P
> distribution
>
> and install the "user-storage-jpa-example" UserStorage provider and try
> to save.
> I see a similar exception, but this time JSON deserialization failures
> with the field "config" - which is probably related
> to the error discussed above.
>
> Admin-Console sends the following JSON to the http://localhost:8080/
> auth/admin/realms/federation-test/components endpoint
>
> {
>   "name":"example-user-storage-jpa",
>   "providerId":"example-user-storage-jpa",
>   "providerType":"org.keycloak.storage.UserStorageProvider",
>   "parentId":"federation-test",
>   "config":{
>     "priority":[
>       "0"
>     ],
>     "cachePolicy":{
>       "0":"DEFAULT"
>     },
>     "evictionHour":{
>       "0":"0"
>     },
>     "evictionMinute":{
>       "0":"0"
>     }
>   }
> }
>
> Cheers,
> Thomas
>
> 19:28:58,684 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> task-116) RESTEASY002005: Failed executing POST
> /admin/realms/federation-test/components: org.jboss.resteasy.spi.ReaderException:
> com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize
> instance of java.util.ArrayList out of START_OBJECT token
>  at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1454aeb7;
> line: 1, column: 189] (through reference chain:
> org.keycloak.representations.idm.ComponentRepresentation["
> config"]->org.keycloak.common.util.MultivaluedHashMap["cachePolicy"])
> at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(
> MessageBodyParameterInjector.java:184)
> at org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(
> MethodInjectorImpl.java:91)
> at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:114)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
> at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:138)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.
> HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHand
> ler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> er.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.
> handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:284)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:263)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(
> HttpServerExchange.java:793)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can not
> deserialize instance of java.util.ArrayList out of START_OBJECT token
>  at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1454aeb7;
> line: 1, column: 189] (through reference chain:
> org.keycloak.representations.idm.ComponentRepresentation["
> config"]->org.keycloak.common.util.MultivaluedHashMap["cachePolicy"])
> at com.fasterxml.jackson.databind.JsonMappingException.
> from(JsonMappingException.java:148)
> at com.fasterxml.jackson.databind.DeserializationContext.mappingException(
> DeserializationContext.java:835)
> at com.fasterxml.jackson.databind.DeserializationContext.mappingException(
> DeserializationContext.java:831)
> at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.
> handleNonArray(StringCollectionDeserializer.java:240)
> at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.
> deserialize(StringCollectionDeserializer.java:171)
> at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.
> deserialize(StringCollectionDeserializer.java:161)
> at com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.
> deserialize(StringCollectionDeserializer.java:19)
> at com.fasterxml.jackson.databind.deser.std.MapDeserializer._
> readAndBindStringMap(MapDeserializer.java:485)
> at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(
> MapDeserializer.java:342)
> at com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(
> MapDeserializer.java:26)
> at com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(
> SettableBeanProperty.java:523)
> at com.fasterxml.jackson.databind.deser.impl.MethodProperty.
> deserializeAndSet(MethodProperty.java:95)
> at com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.
> findDeserializeAndSet(BeanPropertyMap.java:285)
> at com.fasterxml.jackson.databind.deser.BeanDeserializer.
> vanillaDeserialize(BeanDeserializer.java:248)
> at com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(
> BeanDeserializer.java:136)
> at com.fasterxml.jackson.databind.ObjectReader._bind(
> ObjectReader.java:1410)
> at com.fasterxml.jackson.databind.ObjectReader.
> readValue(ObjectReader.java:860)
> at org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.
> readFrom(ResteasyJackson2Provider.java:121)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorConte
> xt.readFrom(AbstractReaderInterceptorContext.java:61)
> at org.jboss.resteasy.core.interception.ServerReaderInterceptorContext
> .readFrom(ServerReaderInterceptorContext.java:60)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorConte
> xt.proceed(AbstractReaderInterceptorContext.java:53)
> at org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor
> .aroundReadFrom(DigitalVerificationInterceptor.java:34)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorConte
> xt.proceed(AbstractReaderInterceptorContext.java:55)
> at org.jboss.resteasy.plugins.interceptors.encoding.
> GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
> at org.jboss.resteasy.core.interception.AbstractReaderInterceptorConte
> xt.proceed(AbstractReaderInterceptorContext.java:55)
> at org.jboss.resteasy.core.MessageBodyParameterInjector.inject(
> MessageBodyParameterInjector.java:151)
> ... 48 more
>
>
>
> 2016-11-03 19:22 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.com
> >:
>
>> ... FYI this is with keycloak-2.3.0.Final
>>
>> 2016-11-03 19:18 GMT+01:00 Thomas Darimont <thomas.darimont at googlemail.co
>> m>:
>>
>>> Hello,
>>>
>>> I could reproduce this with the "user-storage-jpa-example" from
>>> examples/provider in the keycloak repository.
>>>
>>> I installed the provider via: mvn clean install wildfly:deploy
>>> Then I created a new provider instance for "example-user-storage-jpa" in
>>> the admin-console / User Federation
>>>
>>> In the create screen the "priority" field is populated with "0". After
>>> saving the priority field is empty.
>>> If one now tries to set a priority one sees an error message: *Error!* An
>>> unexpected server error has occurred
>>>
>>> The server console now shows the stacktrace mentioned by Niko.
>>>
>>> Cheers,
>>> Thomas
>>>
>>> 2016-11-03 18:21 GMT+01:00 Bill Burke <bburke at redhat.com>:
>>>
>>>> Ok, can you clarify how to reproduce this problem?  Are you creating
>>>> storage providers through the rest interface?  Or does this problem surface
>>>> through the admin console?
>>>>
>>>> On 11/3/16 11:49 AM, Thomas Darimont wrote:
>>>>
>>>> Hello,
>>>>
>>>> I'm facing the same problem - could you point me to the commit that
>>>> fixed this in master?
>>>>
>>>> Cheers,
>>>> Thomas
>>>>
>>>> 2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com>:
>>>>
>>>>> Its an admin console issue.  I think I fixed it in master, but I 'll
>>>>> double check.
>>>>>
>>>>>
>>>>> On 11/1/16 3:35 AM, Niko K?bler wrote:
>>>>> > Hi,
>>>>> >
>>>>> > I just tested and investigated a bit more?
>>>>> >
>>>>> > When saving a UserStorageProvider, the ?priority? value is sent
>>>>> within the config object:
>>>>> > {
>>>>> >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>>>>> >    "name": "my-user-storage",
>>>>> >    "providerId": "my-user-storage",
>>>>> >    "providerType": "org.keycloak.storage.UserStorageProvider",
>>>>> >    "parentId": "demo",
>>>>> >    "config": {
>>>>> >      "baseUrl": [
>>>>> >        "http://localhost:9000"
>>>>> >      ],
>>>>> >      "basicAuthUsername": [
>>>>> >        "admin"
>>>>> >      ],
>>>>> >      "basicAuthPassword": [
>>>>> >        "secret"
>>>>> >      ],
>>>>> >      "priority": {
>>>>> >        "0": "1"
>>>>> >      }
>>>>> >    }
>>>>> > }
>>>>> >
>>>>> > In contrast to a UserFederationProvider, where the ?priority? value
>>>>> is sent as part of the root object, not in the nested config object.
>>>>> >
>>>>> > When adding a ?priority? config property in my UserStorageProvider,
>>>>> it works, but it looks strange in the Admin console, as there are now 2
>>>>> priority fields? but it works.
>>>>> >
>>>>> > Additionally, this error with the priority value leads to some JS
>>>>> error messages in the browser console when working with the Admin console.
>>>>> These are also gone when using an own ?priority? config property.
>>>>> >
>>>>> > I?d appreciate any feedback on this, if this is an error or whatever?
>>>>> > Thanks!
>>>>> >
>>>>> > Regards,
>>>>> > - Niko
>>>>> >
>>>>> >
>>>>> >
>>>>> >> Am 31.10.2016 um 16:15 schrieb Niko K?bler <niko at n-k.de>:
>>>>> >>
>>>>> >> Hi,
>>>>> >>
>>>>> >> I just implemented the User Storage SPI as replacement for our User
>>>>> Federation SPI.
>>>>> >>
>>>>> >> Creating the User-Storage Provider works w/o errors, but not
>>>>> Priority value will be saved.
>>>>> >> When updating the Provider with a value for Priority, it will fail
>>>>> with an exception (see below), updating the Provider without setting a
>>>>> value for Priority works.
>>>>> >>
>>>>> >> Do I have to implement/configure something special to get it work?
>>>>> >> I based my implementation on the user-storage-jpa-example, provided
>>>>> with Keycloak.
>>>>> >> Or is it a general error? Should a create a Jira issue for it?
>>>>> >>
>>>>> >>
>>>>> >> The exception/stack trace:
>>>>> >> 16:03:14,392 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>>>> (default task-31) RESTEASY002005: Failed executing PUT
>>>>> /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce:
>>>>> org.jboss.resteasy.spi.ReaderException: com.fasterxml.jackson.databind.JsonMappingException:
>>>>> Can not deserialize instance of java.util.ArrayList out of START_OBJECT
>>>>> token
>>>>> >> at [Source: io.undertow.servlet.spec.Servl
>>>>> etInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference
>>>>> chain: org.keycloak.representations.idm.ComponentRepresentation["co
>>>>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>>>> >>              at org.jboss.resteasy.core.Messag
>>>>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>>>>> >>              at org.jboss.resteasy.core.Method
>>>>> InjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>>>>> >>              at org.jboss.resteasy.core.Method
>>>>> InjectorImpl.invoke(MethodInjectorImpl.java:114)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>>>> >>              at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>>>> >>              at org.jboss.resteasy.core.Synchr
>>>>> onousDispatcher.invoke(SynchronousDispatcher.java:395)
>>>>> >>              at org.jboss.resteasy.core.Synchr
>>>>> onousDispatcher.invoke(SynchronousDispatcher.java:202)
>>>>> >>              at org.jboss.resteasy.plugins.ser
>>>>> ver.servlet.ServletContainerDispatcher.service(ServletContai
>>>>> nerDispatcher.java:221)
>>>>> >>              at org.jboss.resteasy.plugins.ser
>>>>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatc
>>>>> her.java:56)
>>>>> >>              at org.jboss.resteasy.plugins.ser
>>>>> ver.servlet.HttpServletDispatcher.service(HttpServletDispatc
>>>>> her.java:51)
>>>>> >>              at javax.servlet.http.HttpServlet
>>>>> .service(HttpServlet.java:790)
>>>>> >>              at io.undertow.servlet.handlers.S
>>>>> ervletHandler.handleRequest(ServletHandler.java:85)
>>>>> >>              at io.undertow.servlet.handlers.F
>>>>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>> >>              at org.keycloak.services.filters.
>>>>> KeycloakSessionServletFilter.doFilter(KeycloakSessionServlet
>>>>> Filter.java:90)
>>>>> >>              at io.undertow.servlet.core.Manag
>>>>> edFilter.doFilter(ManagedFilter.java:60)
>>>>> >>              at io.undertow.servlet.handlers.F
>>>>> ilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>> >>              at io.undertow.servlet.handlers.F
>>>>> ilterHandler.handleRequest(FilterHandler.java:84)
>>>>> >>              at io.undertow.servlet.handlers.s
>>>>> ecurity.ServletSecurityRoleHandler.handleRequest(ServletSecu
>>>>> rityRoleHandler.java:62)
>>>>> >>              at io.undertow.servlet.handlers.S
>>>>> ervletDispatchingHandler.handleRequest(ServletDispatchingHan
>>>>> dler.java:36)
>>>>> >>              at org.wildfly.extension.undertow
>>>>> .security.SecurityContextAssociationHandler.handleRequest(Se
>>>>> curityContextAssociationHandler.java:78)
>>>>> >>              at io.undertow.server.handlers.Pr
>>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> >>              at io.undertow.servlet.handlers.s
>>>>> ecurity.SSLInformationAssociationHandler.handleRequest(SSLIn
>>>>> formationAssociationHandler.java:131)
>>>>> >>              at io.undertow.servlet.handlers.s
>>>>> ecurity.ServletAuthenticationCallHandler.handleRequest(Servl
>>>>> etAuthenticationCallHandler.java:57)
>>>>> >>              at io.undertow.server.handlers.Pr
>>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> >>              at io.undertow.security.handlers.
>>>>> AbstractConfidentialityHandler.handleRequest(AbstractConfide
>>>>> ntialityHandler.java:46)
>>>>> >>              at io.undertow.servlet.handlers.s
>>>>> ecurity.ServletConfidentialityConstraintHandler.handleReques
>>>>> t(ServletConfidentialityConstraintHandler.java:64)
>>>>> >>              at io.undertow.security.handlers.
>>>>> AuthenticationMechanismsHandler.handleRequest(Authentication
>>>>> MechanismsHandler.java:60)
>>>>> >>              at io.undertow.servlet.handlers.s
>>>>> ecurity.CachedAuthenticatedSessionHandler.handleRequest(Cach
>>>>> edAuthenticatedSessionHandler.java:77)
>>>>> >>              at io.undertow.security.handlers.
>>>>> NotificationReceiverHandler.handleRequest(NotificationReceiv
>>>>> erHandler.java:50)
>>>>> >>              at io.undertow.security.handlers.
>>>>> AbstractSecurityContextAssociationHandler.handleRequest(Abst
>>>>> ractSecurityContextAssociationHandler.java:43)
>>>>> >>              at io.undertow.server.handlers.Pr
>>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> >>              at org.wildfly.extension.undertow
>>>>> .security.jacc.JACCContextIdHandler.handleRequest(JACCContex
>>>>> tIdHandler.java:61)
>>>>> >>              at io.undertow.server.handlers.Pr
>>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> >>              at io.undertow.server.handlers.Pr
>>>>> edicateHandler.handleRequest(PredicateHandler.java:43)
>>>>> >>              at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.handleFirstRequest(ServletInitialHandle
>>>>> r.java:284)
>>>>> >>              at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>>>> >>              at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>> >>              at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>>>> >>              at io.undertow.server.Connectors.
>>>>> executeRootHandler(Connectors.java:202)
>>>>> >>              at io.undertow.server.HttpServerE
>>>>> xchange$1.run(HttpServerExchange.java:793)
>>>>> >>              at java.util.concurrent.ThreadPoo
>>>>> lExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>>>> >>              at java.util.concurrent.ThreadPoo
>>>>> lExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>>>> >>              at java.lang.Thread.run(Thread.java:745)
>>>>> >> Caused by: com.fasterxml.jackson.databind.JsonMappingException:
>>>>> Can not deserialize instance of java.util.ArrayList out of START_OBJECT
>>>>> token
>>>>> >> at [Source: io.undertow.servlet.spec.Servl
>>>>> etInputStreamImpl at 1a486a1f; line: 1, column: 387] (through reference
>>>>> chain: org.keycloak.representations.idm.ComponentRepresentation["co
>>>>> nfig"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .JsonMappingException.from(JsonMappingException.java:148)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .DeserializationContext.mappingException(DeserializationCont
>>>>> ext.java:835)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .DeserializationContext.mappingException(DeserializationCont
>>>>> ext.java:831)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.StringCollectionDeserializer.handleNonArray(Strin
>>>>> gCollectionDeserializer.java:240)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>>>> llectionDeserializer.java:171)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>>>> llectionDeserializer.java:161)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.StringCollectionDeserializer.deserialize(StringCo
>>>>> llectionDeserializer.java:19)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.MapDeserializer._readAndBindStringMap(MapDeserial
>>>>> izer.java:485)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>>>>> >>              at com.fasterxml.jackson.databind.
>>>>> deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>>>>> >>              at com.fasterxml.jackson.databind.
>>>>> deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanProper
>>>>> tyMap.java:285)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .ObjectReader._bind(ObjectReader.java:1410)
>>>>> >>              at com.fasterxml.jackson.databind
>>>>> .ObjectReader.readValue(ObjectReader.java:860)
>>>>> >>              at org.jboss.resteasy.plugins.pro
>>>>> viders.jackson.ResteasyJackson2Provider.readFrom(ResteasyJac
>>>>> kson2Provider.java:121)
>>>>> >>              at org.jboss.resteasy.core.interc
>>>>> eption.AbstractReaderInterceptorContext.readFrom(AbstractRea
>>>>> derInterceptorContext.java:61)
>>>>> >>              at org.jboss.resteasy.core.interc
>>>>> eption.ServerReaderInterceptorContext.readFrom(ServerReaderI
>>>>> nterceptorContext.java:60)
>>>>> >>              at org.jboss.resteasy.core.interc
>>>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>>>> erInterceptorContext.java:53)
>>>>> >>              at org.jboss.resteasy.security.do
>>>>> seta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVe
>>>>> rificationInterceptor.java:34)
>>>>> >>              at org.jboss.resteasy.core.interc
>>>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>>>> erInterceptorContext.java:55)
>>>>> >>              at org.jboss.resteasy.plugins.int
>>>>> erceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZ
>>>>> IPDecodingInterceptor.java:59)
>>>>> >>              at org.jboss.resteasy.core.interc
>>>>> eption.AbstractReaderInterceptorContext.proceed(AbstractRead
>>>>> erInterceptorContext.java:55)
>>>>> >>              at org.jboss.resteasy.core.Messag
>>>>> eBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>>>>> >>              ... 48 more
>>>>> >>
>>>>> >>
>>>>> >> Regards,
>>>>> >> - Niko
>>>>> >>
>>>>> >>
>>>>> >> _______________________________________________
>>>>> >> keycloak-user mailing list
>>>>> >> keycloak-user at lists.jboss.org
>>>>> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >
>>>>> > _______________________________________________
>>>>> > keycloak-user mailing list
>>>>> > keycloak-user at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>>
>>>
>>
>

From bburke at redhat.com  Thu Nov  3 14:50:50 2016
From: bburke at redhat.com (Bill Burke)
Date: Thu, 3 Nov 2016 14:50:50 -0400
Subject: [keycloak-user] Exception with User Storage SPI priority
 configuration
In-Reply-To: <CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
	<CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
	<CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>
	<CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>
Message-ID: <4de78f0b-2c05-fdfb-224a-6dc7124eb859@redhat.com>

Browser?  I can't reproduce the problem on Safari nor Opera on macosx.  
If you go to users.js and search for GenericUserStorageCtrl you'll see 
that it is initializing all these variables to a list of something.  
Makes no sense why you are seeing this behavior.





On 11/3/16 2:34 PM, Thomas Darimont wrote:
> ... if I build a new server-distribution from current master 
> (c3f3c5c) via:
>
>   mvn clean install -DskipTests -T 2.0C -pl :keycloak-server-dist -am 
> -P distribution
>
> and install the "user-storage-jpa-example" UserStorage provider and 
> try to save.
> I see a similar exception, but this time JSON deserialization failures 
> with the field "config" - which is probably related
> to the error discussed above.
>
> Admin-Console sends the following JSON to the 
> http://localhost:8080/auth/admin/realms/federation-test/components 
> endpoint
>
> {
> "name":"example-user-storage-jpa",
> "providerId":"example-user-storage-jpa",
> "providerType":"org.keycloak.storage.UserStorageProvider",
> "parentId":"federation-test",
>   "config":{
>     "priority":[
>       "0"
>     ],
>     "cachePolicy":{
>       "0":"DEFAULT"
>     },
>     "evictionHour":{
>       "0":"0"
>     },
>     "evictionMinute":{
>       "0":"0"
>     }
>   }
> }
>
> Cheers,
> Thomas
>
> 19:28:58,684 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default 
> task-116) RESTEASY002005: Failed executing POST 
> /admin/realms/federation-test/components: 
> org.jboss.resteasy.spi.ReaderException: 
> com.fasterxml.jackson.databind.JsonMappingException: Can not 
> deserialize instance of java.util.ArrayList out of START_OBJECT token
>  at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1454aeb7; 
> line: 1, column: 189] (through reference chain: 
> org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["cachePolicy"])
> at 
> org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
> at 
> org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
> at 
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
> at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> at 
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> at 
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
> at 
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at 
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at 
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at 
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at 
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at 
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at 
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at 
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at 
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at 
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at 
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at 
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at 
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at 
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at 
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at 
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at 
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at 
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at 
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: com.fasterxml.jackson.databind.JsonMappingException: Can 
> not deserialize instance of java.util.ArrayList out of START_OBJECT token
>  at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 1454aeb7; 
> line: 1, column: 189] (through reference chain: 
> org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["cachePolicy"])
> at 
> com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
> at 
> com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
> at 
> com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
> at 
> com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
> at 
> com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
> at 
> com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
> at 
> com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
> at 
> com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
> at 
> com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
> at 
> com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
> at 
> com.fasterxml.jackson.databind.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:523)
> at 
> com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
> at 
> com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.findDeserializeAndSet(BeanPropertyMap.java:285)
> at 
> com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
> at 
> com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
> at 
> com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
> at 
> com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
> at 
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
> at 
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
> at 
> org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
> at 
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
> at 
> org.jboss.resteasy.security.doseta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
> at 
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
> at 
> org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
> at 
> org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
> at 
> org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
> ... 48 more
>
>
>
> 2016-11-03 19:22 GMT+01:00 Thomas Darimont 
> <thomas.darimont at googlemail.com <mailto:thomas.darimont at googlemail.com>>:
>
>     ... FYI this is with keycloak-2.3.0.Final
>
>     2016-11-03 19:18 GMT+01:00 Thomas Darimont
>     <thomas.darimont at googlemail.com
>     <mailto:thomas.darimont at googlemail.com>>:
>
>         Hello,
>
>         I could reproduce this with the "user-storage-jpa-example"
>         from examples/provider in the keycloak repository.
>
>         I installed the provider via: mvn clean install wildfly:deploy
>         Then I created a new provider instance for
>         "example-user-storage-jpa" in the admin-console / User Federation
>
>         In the create screen the "priority" field is populated with
>         "0". After saving the priority field is empty.
>         If one now tries to set a priority one sees an error message:
>         *Error!* An unexpected server error has occurred
>
>         The server console now shows the stacktrace mentioned by Niko.
>
>         Cheers,
>         Thomas
>
>         2016-11-03 18:21 GMT+01:00 Bill Burke <bburke at redhat.com
>         <mailto:bburke at redhat.com>>:
>
>             Ok, can you clarify how to reproduce this problem?  Are
>             you creating storage providers through the rest
>             interface?  Or does this problem surface through the admin
>             console?
>
>
>             On 11/3/16 11:49 AM, Thomas Darimont wrote:
>>             Hello,
>>
>>             I'm facing the same problem - could you point me to the
>>             commit that fixed this in master?
>>
>>             Cheers,
>>             Thomas
>>
>>             2016-11-01 15:17 GMT+01:00 Bill Burke <bburke at redhat.com
>>             <mailto:bburke at redhat.com>>:
>>
>>                 Its an admin console issue.  I think I fixed it in
>>                 master, but I 'll
>>                 double check.
>>
>>
>>                 On 11/1/16 3:35 AM, Niko K?bler wrote:
>>                 > Hi,
>>                 >
>>                 > I just tested and investigated a bit more?
>>                 >
>>                 > When saving a UserStorageProvider, the ?priority?
>>                 value is sent within the config object:
>>                 > {
>>                 >    "id": "320db9e2-6c40-4eb5-868e-95717be36fce",
>>                 >    "name": "my-user-storage",
>>                 >    "providerId": "my-user-storage",
>>                 > "providerType":
>>                 "org.keycloak.storage.UserStorageProvider",
>>                 >    "parentId": "demo",
>>                 >    "config": {
>>                 >      "baseUrl": [
>>                 >        "http://localhost:9000"
>>                 >      ],
>>                 > "basicAuthUsername": [
>>                 >        "admin"
>>                 >      ],
>>                 > "basicAuthPassword": [
>>                 >        "secret"
>>                 >      ],
>>                 >      "priority": {
>>                 >        "0": "1"
>>                 >      }
>>                 >    }
>>                 > }
>>                 >
>>                 > In contrast to a UserFederationProvider, where the
>>                 ?priority? value is sent as part of the root object,
>>                 not in the nested config object.
>>                 >
>>                 > When adding a ?priority? config property in my
>>                 UserStorageProvider, it works, but it looks strange
>>                 in the Admin console, as there are now 2 priority
>>                 fields? but it works.
>>                 >
>>                 > Additionally, this error with the priority value
>>                 leads to some JS error messages in the browser
>>                 console when working with the Admin console. These
>>                 are also gone when using an own ?priority? config
>>                 property.
>>                 >
>>                 > I?d appreciate any feedback on this, if this is an
>>                 error or whatever?
>>                 > Thanks!
>>                 >
>>                 > Regards,
>>                 > - Niko
>>                 >
>>                 >
>>                 >
>>                 >> Am 31.10.2016 um 16:15 schrieb Niko K?bler
>>                 <niko at n-k.de <mailto:niko at n-k.de>>:
>>                 >>
>>                 >> Hi,
>>                 >>
>>                 >> I just implemented the User Storage SPI as
>>                 replacement for our User Federation SPI.
>>                 >>
>>                 >> Creating the User-Storage Provider works w/o
>>                 errors, but not Priority value will be saved.
>>                 >> When updating the Provider with a value for
>>                 Priority, it will fail with an exception (see below),
>>                 updating the Provider without setting a value for
>>                 Priority works.
>>                 >>
>>                 >> Do I have to implement/configure something special
>>                 to get it work?
>>                 >> I based my implementation on the
>>                 user-storage-jpa-example, provided with Keycloak.
>>                 >> Or is it a general error? Should a create a Jira
>>                 issue for it?
>>                 >>
>>                 >>
>>                 >> The exception/stack trace:
>>                 >> 16:03:14,392 ERROR
>>                 [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
>>                 task-31) RESTEASY002005: Failed executing PUT
>>                 /admin/realms/connect/components/320db9e2-6c40-4eb5-868e-95717be36fce:
>>                 org.jboss.resteasy.spi.ReaderException:
>>                 com.fasterxml.jackson.databind.JsonMappingException:
>>                 Can not deserialize instance of java.util.ArrayList
>>                 out of START_OBJECT token
>>                 >> at [Source:
>>                 io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>>                 line: 1, column: 387] (through reference chain:
>>                 org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>                 >> at
>>                 org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:184)
>>                 >> at
>>                 org.jboss.resteasy.core.MethodInjectorImpl.injectArguments(MethodInjectorImpl.java:91)
>>                 >> at
>>                 org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:114)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>                 >> at
>>                 org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>                 >> at
>>                 org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>>                 >> at
>>                 org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>>                 >> at
>>                 org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>>                 >> at
>>                 org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>                 >> at
>>                 org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>                 >> at
>>                 javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>                 >> at
>>                 io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>                 >> at
>>                 io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>                 >> at
>>                 org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>                 >> at
>>                 io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>                 >> at
>>                 io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>                 >> at
>>                 io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>                 >> at
>>                 io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>                 >> at
>>                 io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>                 >> at
>>                 org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>                 >> at io.undertow.server.handlers.Pr
>>                 <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>                 >> at
>>                 io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>                 >> at
>>                 io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>                 >> at io.undertow.server.handlers.Pr
>>                 <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>                 >> at
>>                 io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>                 >> at
>>                 io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>                 >> at
>>                 io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>                 >> at
>>                 io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>                 >> at
>>                 io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>                 >> at
>>                 io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>                 >> at io.undertow.server.handlers.Pr
>>                 <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>                 >> at
>>                 org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>                 >> at io.undertow.server.handlers.Pr
>>                 <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>                 >> at io.undertow.server.handlers.Pr
>>                 <http://io.undertow.server.handlers.Pr>edicateHandler.handleRequest(PredicateHandler.java:43)
>>                 >> at
>>                 io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>>                 >> at
>>                 io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>>                 >> at
>>                 io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>                 >> at
>>                 io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>>                 >> at
>>                 io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>                 >> at
>>                 io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>                 >> at
>>                 java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>                 >> at
>>                 java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>                 >> at java.lang.Thread.run(Thread.java:745)
>>                 >> Caused by:
>>                 com.fasterxml.jackson.databind.JsonMappingException:
>>                 Can not deserialize instance of java.util.ArrayList
>>                 out of START_OBJECT token
>>                 >> at [Source:
>>                 io.undertow.servlet.spec.ServletInputStreamImpl at 1a486a1f;
>>                 line: 1, column: 387] (through reference chain:
>>                 org.keycloak.representations.idm.ComponentRepresentation["config"]->org.keycloak.common.util.MultivaluedHashMap["priority"])
>>                 >> at
>>                 com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:148)
>>                 >> at
>>                 com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:835)
>>                 >> at
>>                 com.fasterxml.jackson.databind.DeserializationContext.mappingException(DeserializationContext.java:831)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.handleNonArray(StringCollectionDeserializer.java:240)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:171)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:161)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.StringCollectionDeserializer.deserialize(StringCollectionDeserializer.java:19)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.MapDeserializer._readAndBindStringMap(MapDeserializer.java:485)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:342)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.std.MapDeserializer.deserialize(MapDeserializer.java:26)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.SettableBeanProperty.de
>>                 <http://deser.SettableBeanProperty.de>serialize(SettableBeanProperty.java:523)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.impl.MethodProperty.deserializeAndSet(MethodProperty.java:95)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.impl.BeanPropertyMap.fi
>>                 <http://deser.impl.BeanPropertyMap.fi>ndDeserializeAndSet(BeanPropertyMap.java:285)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.BeanDeserializer.vanillaDeserialize(BeanDeserializer.java:248)
>>                 >> at
>>                 com.fasterxml.jackson.databind.deser.BeanDeserializer.deserialize(BeanDeserializer.java:136)
>>                 >> at
>>                 com.fasterxml.jackson.databind.ObjectReader._bind(ObjectReader.java:1410)
>>                 >> at
>>                 com.fasterxml.jackson.databind.ObjectReader.readValue(ObjectReader.java:860)
>>                 >> at org.jboss.resteasy.plugins.pro
>>                 <http://org.jboss.resteasy.plugins.pro>viders.jackson.ResteasyJackson2Provider.readFrom(ResteasyJackson2Provider.java:121)
>>                 >> at
>>                 org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.readFrom(AbstractReaderInterceptorContext.java:61)
>>                 >> at
>>                 org.jboss.resteasy.core.interception.ServerReaderInterceptorContext.readFrom(ServerReaderInterceptorContext.java:60)
>>                 >> at
>>                 org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
>>                 >> at org.jboss.resteasy.security.do
>>                 <http://org.jboss.resteasy.security.do>seta.DigitalVerificationInterceptor.aroundReadFrom(DigitalVerificationInterceptor.java:34)
>>                 >> at
>>                 org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>>                 >> at org.jboss.resteasy.plugins.int
>>                 <http://org.jboss.resteasy.plugins.int>erceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59)
>>                 >> at
>>                 org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:55)
>>                 >> at
>>                 org.jboss.resteasy.core.MessageBodyParameterInjector.inject(MessageBodyParameterInjector.java:151)
>>                 >> ... 48 more
>>                 >>
>>                 >>
>>                 >> Regards,
>>                 >> - Niko
>>                 >>
>>                 >>
>>                 >> _______________________________________________
>>                 >> keycloak-user mailing list
>>                 >> keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 >>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>                 >
>>                 > _______________________________________________
>>                 > keycloak-user mailing list
>>                 > keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 >
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>                 _______________________________________________
>>                 keycloak-user mailing list
>>                 keycloak-user at lists.jboss.org
>>                 <mailto:keycloak-user at lists.jboss.org>
>>                 https://lists.jboss.org/mailman/listinfo/keycloak-user
>>                 <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>
>
>


From thomas.darimont at googlemail.com  Thu Nov  3 15:10:37 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Thu, 3 Nov 2016 20:10:37 +0100
Subject: [keycloak-user] Exception with User Storage SPI priority
	configuration
In-Reply-To: <4de78f0b-2c05-fdfb-224a-6dc7124eb859@redhat.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
	<CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
	<CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>
	<CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>
	<4de78f0b-2c05-fdfb-224a-6dc7124eb859@redhat.com>
Message-ID: <CAK-7U1j2pShx5TYg0Lvtjym_kKWwWq15PNLGeKH4_3eie=tGMA@mail.gmail.com>

I just tried it with a private window in chrome (53.0.2785.143 Built on
Ubuntu) as well as firefox (49.0.2).

The following seems to work in current master (2.4.0.CR-1 c3f3c5c)

Steps:
1) User Federation -> add provider -> example-user-storage-jpa
2) click save (note the cache policy stays empty NOT default -> which
changes to DEFAULT after save)

-> Success message -> now I can edit the storage provider without problems.

The following does not work

Steps:
1) User Federation -> add provider -> example-user-storage-jpa
2) select CachePolicy: Default
3) click save

-> Error message...

Same in firefox and chrome.

With the latest keycloak release 2.3.0.Final I can also reproduce the
problem in chrome and firefox

Steps:
1) User Federation -> add provider -> example-user-storage-jpa
2) click save

-> Success message

Priority is empty after save...
3) changing priority to 10
4) save

-> Error message

From michael_furman at hotmail.com  Thu Nov  3 15:14:25 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Thu, 3 Nov 2016 19:14:25 +0000
Subject: [keycloak-user] Creation UI for new authentication schema
 configuration.
In-Reply-To: <CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
Message-ID: <AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi,

Unfortunately I can not deploy the example authentication provider to Keycloak


Who can help?


I have compiled authenticator-required-action-example from the examples.
I copied the provider jar into the "standalone/configuration/providers" directory according to the document:
https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html

Unfortunately Keycloak does not recognize the provider.
Than I have copied it to the "providers" folder under the root Keycloak folder.
Also without success .


I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856


Best regards,

   Michael



________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Tuesday, November 1, 2016 11:08 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.

On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Thanks,
Where I will see the generated UI?
On the authentication page?
http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
Also, can I add / update the authenticator configuration via REST API?
http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
Thank you in advance for your help.
Best regards,
   Michael


________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Monday, October 31, 2016 8:00 AM

To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Configuration UI is generated based on what's returned by the getConfigProperties method

On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Thanks Stian,
I will happy for the additional clarifications.
I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
I think that the following is relevant:

The next few methods define how the Authenticator can be configured.
...
The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.

But according to my understanding the configuration should appear in the Authenticator configuration UI.
Therefore, how should I create the UI?

Additional question: will the new Authenticator appear in Authentication Flows:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
Thank you in advance for your help.
Best regards,
   Michael


________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Thursday, October 27, 2016 9:57 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.

On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I want to add support for the new authentication schema.
How can I add UI for new authentication schema configuration?
For example, I want to add the TACACS authentication schema.
Therefore I need to configure the TACACS server IP and the secret.
May be I have missed but I can not find it here:
https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html

Thank you in advance for your help.
Best regards,
   Michael

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user




From bburke at redhat.com  Thu Nov  3 17:02:49 2016
From: bburke at redhat.com (Bill Burke)
Date: Thu, 3 Nov 2016 17:02:49 -0400
Subject: [keycloak-user] Exception with User Storage SPI priority
 configuration
In-Reply-To: <CAK-7U1j2pShx5TYg0Lvtjym_kKWwWq15PNLGeKH4_3eie=tGMA@mail.gmail.com>
References: <F9FE2CB2-1E2F-4699-9E27-7F30D6422C61@n-k.de>
	<595C9D1A-AF2F-486C-BC32-DE85EB72AA24@n-k.de>
	<5ac1b419-500f-400b-2887-cae420e3926a@redhat.com>
	<CAK-7U1hWreO8g7wbTpXWkmEZkUOCxsiuEZtfqhDh=Swj4ohkLw@mail.gmail.com>
	<eb2d213f-0f09-2cb1-5b8a-c6495adb9671@redhat.com>
	<CAK-7U1g0yTVA5PGGx=CgtfqVHtixVx0k+z5RjezT2Yxa9mTF8w@mail.gmail.com>
	<CAK-7U1j8h7k0z4ZjL3AjFEAu4846dk+2iL9SUDeG7JBnzEK1kg@mail.gmail.com>
	<CAK-7U1j1By=64UKmYY7ymFoU8sk_J4_y9_BwQ-Q0i7Xt6oXMTA@mail.gmail.com>
	<4de78f0b-2c05-fdfb-224a-6dc7124eb859@redhat.com>
	<CAK-7U1j2pShx5TYg0Lvtjym_kKWwWq15PNLGeKH4_3eie=tGMA@mail.gmail.com>
Message-ID: <da4267cc-b811-0813-ca01-e6a8991d4444@redhat.com>

Yeah, I have this fixed on my local repo.  Move initialization of 
cachePolicy in users.js

function initUserStorageSettings() {
     if ($scope.create) {
         instance.name =providerFactory.id;
         instance.providerId =providerFactory.id;
         instance.providerType ='org.keycloak.storage.UserStorageProvider';
         instance.parentId = realm.id;
         instance.config = {

         };
         instance.config['priority'] = ["0"];

         $scope.fullSyncEnabled =false;
         $scope.changedSyncEnabled =false;
         if (providerFactory.metadata.synchronizable) {
             instance.config['fullSyncPeriod'] = ['-1'];
             instance.config['changedSyncPeriod'] = ['-1'];

         }
         instance.config['cachePolicy'] = ['DEFAULT'];
         instance.config['evictionDay'] = [''];
         instance.config['evictionHour'] = [''];
         instance.config['evictionMinute'] = [''];
         instance.config['maxLifespan'] = [''];
         if (providerFactory.properties) {

             for (var i =0;i <providerFactory.properties.length;i++) {
                 var configProperty =providerFactory.properties[i];
                 if (configProperty.defaultValue) {
                     instance.config[configProperty.name] = [configProperty.defaultValue];
                 }else {
                     instance.config[configProperty.name] = [''];
                 }

             }
         }

     }else {
         $scope.fullSyncEnabled = (instance.config['fullSyncPeriod'] &&instance.config['fullSyncPeriod'][0] >0);
         $scope.changedSyncEnabled = (instance.config['changedSyncPeriod'] &&instance.config['changedSyncPeriod'][0]>0);
         if (providerFactory.metadata.synchronizable) {
             if (!instance.config['fullSyncPeriod']) {
                 console.log('setting to -1');
                 instance.config['fullSyncPeriod'] = ['-1'];

             }
             if (!instance.config['changedSyncPeriod']) {
                 console.log('setting to -1');
                 instance.config['changedSyncPeriod'] = ['-1'];

             }
         }
         if (!instance.config['cachePolicy']) {
             instance.config['cachePolicy'] = ['DEFAULT'];

         }
         if (!instance.config['evictionDay']) {
             instance.config['evictionDay'] = [''];

         }
         if (!instance.config['evictionHour']) {
             instance.config['evictionHour'] = [''];

         }
         if (!instance.config['evictionMinute']) {
             instance.config['evictionMinute'] = [''];

         }
         if (!instance.config['maxLifespan']) {
             instance.config['maxLifespan'] = [''];

         }
         if (!instance.config['priority']) {
             instance.config['priority'] = ['0'];
         }

     }



On 11/3/16 3:10 PM, Thomas Darimont wrote:
> I just tried it with a private window in chrome (53.0.2785.143 Built 
> on Ubuntu) as well as firefox (49.0.2).
> The following seems to work in current master (2.4.0.CR-1 c3f3c5c)
> Steps:
> 1) User Federation -> add provider -> example-user-storage-jpa
> 2) click save (note the cache policy stays empty NOT default -> which 
> changes to DEFAULT after save)
> -> Success message -> now I can edit the storage provider without 
> problems.
> The following does not work
> Steps:
> 1) User Federation -> add provider -> example-user-storage-jpa
> 2) select CachePolicy: Default
> 3) click save
> -> Error message...
> Same in firefox and chrome.
> With the latest keycloak release 2.3.0.Final I can also reproduce the 
> problem in chrome and firefox
> Steps:
> 1) User Federation -> add provider -> example-user-storage-jpa
> 2) click save
> -> Success message
> Priority is empty after save...
> 3) changing priority to 10
> 4) save
> -> Error message

From chairfield at gmail.com  Thu Nov  3 17:23:36 2016
From: chairfield at gmail.com (Chris Hairfield)
Date: Thu, 03 Nov 2016 21:23:36 +0000
Subject: [keycloak-user] Losing some sessions during clustering
In-Reply-To: <CALr83iBCBRPtMNVMsu+HrAkfgnN8uz0cPUJa8Y5W=3N8WOfMTA@mail.gmail.com>
References: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
	<CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>
	<CALr83iBCBRPtMNVMsu+HrAkfgnN8uz0cPUJa8Y5W=3N8WOfMTA@mail.gmail.com>
Message-ID: <CALr83iAMe7hAwngM03zc8SzKnh3qfJAwNxzwSTqrkbiyBSttrQ@mail.gmail.com>

No dice, sadly. Here's our latest test:

1. Set owners to 2 for all 3 caches
2. Start 2 nodes
3. Perform a rolling release
    a. Start node 3
    b. Wait for node 3 to respond 200 on admin console
    c. Kill node 1
    d. Start node 4
    e. Wait for node 4 to respond 200 on admin console
    f.Kill node 2

We lost sessions, even though there were always at least 2 nodes fully
online. *(To be explicit, this was judged by signing into the admin
console. Is this a fair test? The # of sessions reported by Keycloak stayed
the same...)*

We're considering switching over from Infinispan to Postgres for session
storage, at least to see if it works. Still, any additional tips or
thoughts would be great.

Thanks so far,
Chris

On Thu, Nov 3, 2016 at 11:36 AM Chris Hairfield <chairfield at gmail.com>
wrote:

> Many thanks, John. This seems very likely. If there's no response from our
> part, you may assume it's fixed.
>
> Cheers,
> Chris
>
> On Thu, Nov 3, 2016 at 11:26 AM John Bartko <john.bartko at drillinginfo.com>
> wrote:
>
> It sounds like sessions distributed-cache is not being replicated.
>
> From the Install/Config documentation on cache replication
> <https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.3/topics/cache/replication.html>:
> "By default, Keycloak only specifies one owner for data. So if that one
> node goes down that data is lost. This usually means that users will be
> logged out and will have to login again."
>
> jboss-cli snippet:
> /subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners,
> value=2)
>
> Hope that helps,
> -John Bartko
>
> On Thu, Nov 3, 2016 at 12:08 PM, Chris Hairfield <chairfield at gmail.com>
> wrote:
>
> Hello Keycloak users,
>
> We're seeing strange behavior with the session handling when starting up a
> new node. Keycloak doesn't retain all sessions. Here's our experiment:
>
>    1. start with 1 node containing a few dozen sessions
>    2. start node 2 (nodes clustered via JGroups Ping table + infinispan)
>    3. wait for 10 minutes
>    4. stop node 1
>
> End result: *some* of the clients connected are forced to log back in. Most
>
>
> sessions remain.
>
> We're still investigating, so I cannot infer beyond this point at the
> moment. I'm simply curious whether anyone knows the following:
>
>    - are *all* sessions meant to be migrated to new nodes?
>    - how long does it take to migrate sessions?
>    - does a new node wait until sessions are migrated before it enables the
>    admin interface?
>    - is there any logic to prune sessions on clustering?
>
>
>
> Any thoughts would be greatly appreciated.
>
> Thanks,
> Chris
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From amorse at deloitte.com  Thu Nov  3 19:08:47 2016
From: amorse at deloitte.com (Morse, Alexander (US - Newton))
Date: Thu, 3 Nov 2016 23:08:47 +0000
Subject: [keycloak-user] Backend to Backend Call
In-Reply-To: <CAJgngAe_OEQooRhFjpowJXe_tDKAu-Vty2yW9+1oOAVsJ9pN3Q@mail.gmail.com>
References: <DM3PR85MB0091BFF27EDCCF407E118C89BCAE0@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>
	<CAJgngAe_OEQooRhFjpowJXe_tDKAu-Vty2yW9+1oOAVsJ9pN3Q@mail.gmail.com>
Message-ID: <DM3PR85MB0091EC1861D0990619A0211CBCA30@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>

Thanks for the prompt response, Stian.

I don?t love the idea of creating signed JWTs outside of Keycloak as that introduces some key management complexity etc. Is it an acceptable idea to pass the refresh token in a cookie instead of a header?

Are there plans to provide support for this use case in future releases?

Thanks again,
Alex

From: Stian Thorgersen [mailto:sthorger at redhat.com]
Sent: Tuesday, November 1, 2016 5:14 AM
To: Morse, Alexander (US - Newton) <amorse at deloitte.com>
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Backend to Backend Call

Actually this is not a use-case that we solve particularly well, but passing the refresh token is not a great idea.

One option would be to increase the access token timeout, but that would have side effects on all other use-cases. The best and most secure option would be to have a one-time token that is passed to the asynchronous service. This is not something we have support for directly though and it would most likely not involve the IdP (Keycloak server) at all, but rather be a signed JWT issued by the caller that can be used by the async service for the callback.

On 31 October 2016 at 22:10, Morse, Alexander (US - Newton) <amorse at deloitte.com<mailto:amorse at deloitte.com>> wrote:
Hi,

Want to know the recommended approach for having asynchronous backend services that are secured through bearer tokens call each other. We have an interactive web application that calls a backend service. The JavaScript adapter places the access token in the Authorization header. This backend services starts an asynchronous job that then calls another backend service, passing along the same Access Token. The problem arises when the access token has expired while the first job was processing. Seems like one relatively straight forward approach would be to have the front end pass a refresh token to the backend, which it can use to obtain a new access token. Are there better approaches? The adapters do not seem to natively support this.

Thanks,
Alex




This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

v.E.1







_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sthorger at redhat.com  Fri Nov  4 01:15:45 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:15:45 +0100
Subject: [keycloak-user] Few questions about production deployment
In-Reply-To: <3AFB10CF-C262-4A30-B86F-0E2D9DC524BB@gmail.com>
References: <3AFB10CF-C262-4A30-B86F-0E2D9DC524BB@gmail.com>
Message-ID: <CAJgngAeS2REP1xAmopJwffE9A6PC=sqb0F=WeRcee5HDqE-JBA@mail.gmail.com>

You do need to setup clustering. You can use domain mode or standalone-ha
mode. We haven't documented the steps required on AWS, but there are ways
to configure the underlying JGroups to work on AWS. There's a few people
that have got this working and you should be able to find the details by
searching the user mailing lists:
http://www.keycloak.org/search.html?q=aws

On 3 November 2016 at 19:03, Predrag Mijatovic <predmijat at gmail.com> wrote:

> Hi,
>
> I've successfully deployed Keycloak in Standalone mode. Now I need to
> deploy it in production, meaning I need more resilience.
>
> I've read in the documentation that Domain Clustered Mode requires network
> multicast, which is not available in AWS. I've also read that there are
> ways to circumvent this (didn't found a guide where someone actually
> explains the whole process though), but I'm not so sure that it would be
> good approach - I don't want to introduce more complexity.
>
> What is the best approach here? Should I insist on Domain Clustered Mode
> in AWS (can you provide guides where it's explained how to achieve that)?
> Or, is it possible to create a setup with multiple Standalone deployments,
> with some kind of a load balancer in front of them?
>
> Thanks,
> Predrag
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:18:31 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:18:31 +0100
Subject: [keycloak-user] Having difficulty logging out in a 2 client
	scenario
In-Reply-To: <692F2625-FAA8-4931-B0C2-50889222582C@edlogics.com>
References: <692F2625-FAA8-4931-B0C2-50889222582C@edlogics.com>
Message-ID: <CAJgngAdtji=S+4CzU4TbtkN1rxVTJhdKhcmgNPchtzwH4iAveg@mail.gmail.com>

Sounds like the Spring Security Adapter is services and not a web app? If
so it shouldn't deal with logins and logouts at all. It should be
configured as a bearer-only client.

On 1 November 2016 at 00:11, Chris Savory <chris.savory at edlogics.com> wrote:

> Our application has 2 clients:
> 1. A Confidential Client that uses the Spring Security Adapter
> 2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.
>
> Everything between the two is working fine until I try to logout under
> certain conditions.
>
> Logout works fine if I first: deep link into a protected page in my app.
> The SpringSecurity adapter for client# 1 redirects me to Keycloak.
> Keycloack then logs me in and sends me back to my app where my token was
> issued for client #1.  If I logout under this scenario via the
> SpringSecurity adapter it works fine.
>
> In Scenario #2 I first hit an Angular page in my app.  Then I log in from
> the JS Adapter in client #2.  Then through a Rest call to my Spring App
> (which a Bearer token is passed) a java session is established on Tomcat.
> When I put some break points in the Keycloak Adapter classes I can see that
> the KeycloakToken only contains the token in this scenario, but not the
> refresh token.  I can also see that the token was issued for client #2.
> When I try to logout, the adapter sends a request to Keycloak with an empty
> refresh_token and keycloak returns a 400 error, thus nullifying the logout.
>
> I also tried another scenario where use the JS Adapter get the logout URL
> and logout directly to Keycloak via ?window.location =
> keycloak.createLogoutUrl({ redirectUri: ?/site-url?) }).  This actually
> logs out the user from all clients (which is what I want), but the problem
> here is on the next request to the Spring app I think there is still an
> HttpSession alive and I?m running into the check in
> SpringSecurityTokenStore.saveAccountInfo where it throws an exception
> because there is already an (old) token inside the SecurityContextHolder.
>
> Any advice on how to proceed from either of these two scenarios?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Fri Nov  4 01:20:55 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:20:55 +0100
Subject: [keycloak-user] Stateless REST webservice registration
In-Reply-To: <CAMPYDJqvsg=+cJPf2ZyL-eeFnJFMncQZVjSTsHd2qV=mO_w8_A@mail.gmail.com>
References: <CAMPYDJqvsg=+cJPf2ZyL-eeFnJFMncQZVjSTsHd2qV=mO_w8_A@mail.gmail.com>
Message-ID: <CAJgngAfyoUM7p1B_gpBoJfuQVKimQ6PSzN4rb5B1-M944iq6bg@mail.gmail.com>

You don't always need to register a client for a REST services, but it
needs to be registered if:
* You invoke token introspection endpoint
* You use authorization services
* You want to retrieve config for the adapter from Keycloak
* You want to assign client level roles to the service

But, if all you want is to verify the token you can skip registering in
Keycloak server.

On 1 November 2016 at 09:57, Robert . <robert.discussions at gmail.com> wrote:

> I'm trying to expand my knowledge about Keycloak and OpenID Connect.
> Is it necessary for a stateless REST webservice to be registered as a
> client in Keycloak?
> The token send to the REST service is signed, so the REST service could
> verify the authenticity and validity of the token if it has the public key
> of the keycloak server.
>
> Why would there be any need for direct communication between the REST
> service and Keycloak?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:23:26 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:23:26 +0100
Subject: [keycloak-user] Creating the UI using REST API
In-Reply-To: <AM5PR0701MB25309A824957070857CC4FA7F4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25304C8C69279955009A1189F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAfqVzGnwJsEgNBNDWk=Rj5LkAY++jJ==k0qrcRBf63=-A@mail.gmail.com>
	<AM5PR0701MB25309A824957070857CC4FA7F4A10@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAdkGVwz+ZjGWBRBT16sBoi1m_ACQjPjb-O-pdgrGOj5PQ@mail.gmail.com>

You need to include the authorization header in the request to the REST API
as such you can't invoke it by opening it in the browser. Try the CURL
example in the docs.

On 1 November 2016 at 10:50, Michael Furman <michael_furman at hotmail.com>
wrote:

> For example UI for the user management: add user, update user, delete user.
>
> I can find appropriate REST APIs, but I want to understand how to use it.
>
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Tuesday, November 1, 2016 11:09 AM
> *To:* Michael Furman
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Creating the UI using REST API
>
> UI for what?
>
> On 31 October 2016 at 09:41, Michael Furman <michael_furman at hotmail.com>
> wrote:
>
>> Hi all,
>> We need to create our own UI using REST API.
>> I have authenticated a user in UI (http://localhost:8080/auth/ad
>> min/master/console/#/realms/master ) and then I have tried to open some
>> REST API from a browser in the new tab (for example
>> http://localhost:8080/auth/admin/realms/master/clients).
>>
>> Unfortunately I get HTTP 401 barrier error.
>> I see that I need the barrier token if I access REST API from the command
>> line: https://keycloak.gitbooks.io/server-developer-guide/content/
>> v/2.2/topics/admin-rest-api.html
>>
>> What UI should do to access REST API?
>> Also to allocate the barrier token and then to access REST API?
>> Do you have any JS lib that make the process easier?
>> Thank you in advance for your help.
>> Best regards,
>>    Michael
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sthorger at redhat.com  Fri Nov  4 01:26:42 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:26:42 +0100
Subject: [keycloak-user] Email Verification
In-Reply-To: <MEXPR01MB08707ED2AC5AA890DCE3F74BCAA00@MEXPR01MB0870.ausprd01.prod.outlook.com>
References: <MEXPR01MB08707ED2AC5AA890DCE3F74BCAA00@MEXPR01MB0870.ausprd01.prod.outlook.com>
Message-ID: <CAJgngAf-MKN5n972=1NKYDaOOgJnF-8XhA4Xdiee=X-E_BuJOA@mail.gmail.com>

It is indeed a bit flawed and is something we should take a look at. Can
you create a JIRA please?

I can't think of any way of doing this without modifying the Keycloak code.
Any chance you'd be interested in doing a PR for it?

On 2 November 2016 at 03:34, Adam Keily <adam.keily at adelaide.edu.au> wrote:

> Just wondering if I'm missing something. The following scenario, to me,
> seems flawed.
>
> Realm Setting to verify email = On
>
>
> 1.       New user registers an account.
>
> 2.       From the account page, they change their email address, but have
> a typo in the address.
>
> 3.       Attempt to login again and receive an error saying their email
> needs to be verified.
>
> 4.       Cannot verify email because of the typo, user is locked out.
>
> To my way of thinking the email address should be verified at the time it
> is changed and before the new value is written to the attribute. Is that
> possible?
>
> Thanks
> Adam
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:28:05 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:28:05 +0100
Subject: [keycloak-user] Realm Roles not returned on search
In-Reply-To: <BA784E3B-5C6B-4A59-AE90-1538261345A9@edlogics.com>
References: <BA784E3B-5C6B-4A59-AE90-1538261345A9@edlogics.com>
Message-ID: <CAJgngAe1=hND9NG-5fWo37yOU=QUOK59tn=_EK5nsB7nBoze6A@mail.gmail.com>

There's no way at the moment. You can open a JIRA for it.

On 2 November 2016 at 17:58, Chris Savory <chris.savory at edlogics.com> wrote:

> Is there a setting avaiable to get an Admin API user search to return the
> Realm Roles?
>
> This does not return the roles:
>         public List<UserRepresentation> getAllUsers() {
>                 return keyCloak.realm( applicationSettings.
> getKeycloakApplicationProperties().getRealm() )
>                                 .users().search( StringUtils.EMPTY, 0,
> Integer.MAX_VALUE );
>         }
>
> If we need the roles, we are currently forced to this:
>         public UserRepresentation getUserById( String id ) {
>                 UserResource userResource = keyCloak.realm(
> applicationSettings.getKeycloakApplicationProperties().getRealm() )
>                                 .users().get( id );
>                 UserRepresentation userRepresentation =
> userResource.toRepresentation();
>                 userRepresentation.setRealmRoles(
> userResource.roles().getAll().getRealmMappings().stream().map(
> RoleRepresentation::getName ).collect( Collectors.toList() ) );
>                 userRepresentation.setGroups(
> userResource.groups().stream().map( GroupRepresentation::getName
> ).collect( Collectors.toList() ) );
>
>                 return userRepresentation;
>         }
>
>
> There are some cases we have where we are getting a large list of users
> and would want to exclude any R0LE_ADMIN in that list.  Checking them all
> one-by-one would be very inefficient.
>
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:28:35 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:28:35 +0100
Subject: [keycloak-user] External 2FA Integration
In-Reply-To: <MEXPR01MB0870F24EA1EEA7F8D350951FCAA10@MEXPR01MB0870.ausprd01.prod.outlook.com>
References: <MEXPR01MB0870F24EA1EEA7F8D350951FCAA10@MEXPR01MB0870.ausprd01.prod.outlook.com>
Message-ID: <CAJgngAeHvk5r+7a+JUfr7+g7znCo--XNyZPqBesx+ojOmwa1_Q@mail.gmail.com>

You can write your own custom authenticator. See
https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html

On 1 November 2016 at 23:27, Adam Keily <adam.keily at adelaide.edu.au> wrote:

> Hi,
>
> Is there any support / guidance for implementing external auth providers.
> Particularly external MFA providers such as DUO or RSA etc.
>
> Thanks
> Adam
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:31:27 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:31:27 +0100
Subject: [keycloak-user] Performance lag in client role creation and
	retrieval
In-Reply-To: <CACrrGYip-_Gx4A-pc-qZ_VkciFuF+CWGa8Ce-YbxnOQ_J615xQ@mail.gmail.com>
References: <CACrrGYip-_Gx4A-pc-qZ_VkciFuF+CWGa8Ce-YbxnOQ_J615xQ@mail.gmail.com>
Message-ID: <CAJgngAcC57JB3zLvUj+hYYZD2WLmQ8+jPy-ZzVLSi4yDmt16hw@mail.gmail.com>

We're actually currently looking at some issues around this. Please create
a JIRA and we'll make sure your case is checked as well.

Hopefully this will be solved in the upcoming 2.4 release.

On 3 November 2016 at 12:16, Padmaka Wijaygoonawardena <teknodjs at gmail.com>
wrote:

> Hi,
>
> I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm
> using has 2 Keycloak nodes and around 4000 client roles for one client. the
> process I go through for adding is as follows:
>
>
>    1. GET call to check whether the role already exists. (takes around
>    2000ms)
>    2. POST call to create the new client role. (takes around 10000ms)
>    3. GET call to get the newly created client role(Since the create role
>    call doesn't send the full client role in the response body). (takes
> around
>    10000ms)
>
> The Keycloak version I used earlier was 1.9.0 with that version this
> process worked fine with one call taking around 700ms on average.
>
> So as shown above this is a huge performance lag. With further
> investigation I found the following points
>
>
>    1. When using only one Keycloak node this problem doesn't appear.
>    Therefore it should be some issue with infinispan cache.
>    2. When I remove the get calls and only send the create calls then the
>    calls return in 2000ms in average.
>    3. This lag only appears when executing a get role call soon after
>    creating a client role.
>
> I double checked the changes for 2.3.0 [1] since there is nothing said
> about cache or related issues I raised this issue.
>
> Any advice or fix would be highly appreciated. Thanks in advance.
>
> [1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html
>
> Cheers,
> Padmaka.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:34:37 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:34:37 +0100
Subject: [keycloak-user] Backend to Backend Call
In-Reply-To: <DM3PR85MB0091EC1861D0990619A0211CBCA30@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>
References: <DM3PR85MB0091BFF27EDCCF407E118C89BCAE0@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>
	<CAJgngAe_OEQooRhFjpowJXe_tDKAu-Vty2yW9+1oOAVsJ9pN3Q@mail.gmail.com>
	<DM3PR85MB0091EC1861D0990619A0211CBCA30@DM3PR85MB0091.NAMPRD85.PROD.OUTLOOK.COM>
Message-ID: <CAJgngAfbJA0oxA+8Xt-PXkQP_3ewbaiZJBrDAFiaOWUrg9wbOg@mail.gmail.com>

By passing the refresh token you are giving the service "unlimited" access,
which you probably don't want to do. Refresh tokens are really designed to
be kept securely by an application and not to be passed around.

Could you have the backend service use a service account? That way it can
obtain tokens on behalf of itself.

On 4 November 2016 at 00:08, Morse, Alexander (US - Newton) <
amorse at deloitte.com> wrote:

> Thanks for the prompt response, Stian.
>
>
>
> I don?t love the idea of creating signed JWTs outside of Keycloak as that
> introduces some key management complexity etc. Is it an acceptable idea to
> pass the refresh token in a cookie instead of a header?
>
>
>
> Are there plans to provide support for this use case in future releases?
>
>
>
> Thanks again,
>
> Alex
>
>
>
> *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> *Sent:* Tuesday, November 1, 2016 5:14 AM
> *To:* Morse, Alexander (US - Newton) <amorse at deloitte.com>
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Backend to Backend Call
>
>
>
> Actually this is not a use-case that we solve particularly well, but
> passing the refresh token is not a great idea.
>
>
>
> One option would be to increase the access token timeout, but that would
> have side effects on all other use-cases. The best and most secure option
> would be to have a one-time token that is passed to the asynchronous
> service. This is not something we have support for directly though and it
> would most likely not involve the IdP (Keycloak server) at all, but rather
> be a signed JWT issued by the caller that can be used by the async service
> for the callback.
>
>
>
> On 31 October 2016 at 22:10, Morse, Alexander (US - Newton) <
> amorse at deloitte.com> wrote:
>
> Hi,
>
> Want to know the recommended approach for having asynchronous backend
> services that are secured through bearer tokens call each other. We have an
> interactive web application that calls a backend service. The JavaScript
> adapter places the access token in the Authorization header. This backend
> services starts an asynchronous job that then calls another backend
> service, passing along the same Access Token. The problem arises when the
> access token has expired while the first job was processing. Seems like one
> relatively straight forward approach would be to have the front end pass a
> refresh token to the backend, which it can use to obtain a new access
> token. Are there better approaches? The adapters do not seem to natively
> support this.
>
> Thanks,
> Alex
>
>
>
>
> This message (including any attachments) contains confidential information
> intended for a specific individual and purpose, and is protected by law. If
> you are not the intended recipient, you should delete this message and any
> disclosure, copying, or distribution of this message, or the taking of any
> action based on it, by you is strictly prohibited.
>
> v.E.1
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From sthorger at redhat.com  Fri Nov  4 01:39:08 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:39:08 +0100
Subject: [keycloak-user] Clarifications regarding advanced
 authentications (LDAP, Kerberos, SAML)
In-Reply-To: <AM5PR0701MB253062EFF73AB96F2AE65310F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB253062EFF73AB96F2AE65310F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAdmCuGWbBvoTKq=5AwttijMuX2E+UMSBXk9jLuLDeGEEg@mail.gmail.com>

On 3 November 2016 at 06:08, Michael Furman <michael_furman at hotmail.com>
wrote:

> Hi all,
> I will happy for clarifications regarding advanced authentications (LDAP,
> Kerberos, SAML).
>
>   1.  Why Kerberos is "User Federation" but SAML is "Identity Provider"?
> Both are SSO protocols (I do understand difference between protocols but
> it is seamless from the user point of view).
>

Identity Brokering are for Web SSO IdPs. It works by redirecting the user.

User federation works by reading users from external sources.

Kerberos when used with LDAP is just an authenticator, but there's also a
federation provider so it can be used without LDAP in which case only the
username is available and the rest has to be filled in manually by the user.


>
> What is the difference between User Federation and Identity Provider in
> Keycloak?
> Will Keycloak import all users from the defined in "User Federation" into
> internal database?
>
>   2.  How I incorporate "User Federation" or "Identity Provider" into the
> authentication flow?
> I see that I can add "Identity Provider Redirector" but how I add "User
> Federation"?
>

Identity provider is a redirect and user has to click a button or you setup
the default one.

User federation works by looping through providers until a match for the
username is found.


>   3.  Regarding LDAP:  I have added LDAP User Federation.
> The "Test connection" and the "Test authentication" pass successfully but
> I can not authenticate LDAP users in UI.
> What I have missed?
> Should I add LDAP to the authentication flow?
>

You may not have configured it properly and it can't find the user within
LDAP. Test connection / authentication just checks that Keycloak can
connect to LDAP, not that it can find a specific user.


>
>
>
> Thank you in advance for your help.
>
> Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Nov  4 01:51:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:51:46 +0100
Subject: [keycloak-user] Creation UI for new authentication schema
	configuration.
In-Reply-To: <AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>

I don't know what you mean by it is not recognized by Keycloak. Did you
follow the steps in the example to register it? See
https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md

On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com>
wrote:

> Hi,
>
> Unfortunately I can not deploy the example authentication provider to
> Keycloak
>
>
> Who can help?
>
>
> I have compiled authenticator-required-action-example from the examples.
> I copied the provider jar into the ?standalone/configuration/providers?
> directory according to the document:
> https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/auth-spi.html
>
> Unfortunately Keycloak does not recognize the provider.
> Than I have copied it to the ?providers? folder under the root Keycloak
> folder.
> Also without success .
>
>
> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>
>
> Best regards,
>
>    Michael
>
>
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger at redhat.com>
> *Sent:* Tuesday, November 1, 2016 11:08 AM
>
> *To:* Michael Furman
> *Cc:* keycloak-user at lists.jboss.org
> *Subject:* Re: [keycloak-user] Creation UI for new authentication schema
> configuration.
>
> On the config for the authenticator. Please look at the docs and also the
> example it explains this pretty well.
>
> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com>
> wrote:
>
>> Thanks,
>>
>> Where I will see the generated UI?
>> On the authentication page?
>> http://localhost:8080/auth/admin/master/console/#/realms/mas
>> ter/authentication/flows/browser
>>
>> Also, can I add / update the authenticator configuration via REST API?
>>
>> http://www.keycloak.org/docs/rest-api/#_update_authenticator
>> _configuration
>>
>> Thank you in advance for your help.
>>
>> Best regards,
>>
>>    Michael
>>
>> ------------------------------
>> *From:* Stian Thorgersen <sthorger at redhat.com>
>> *Sent:* Monday, October 31, 2016 8:00 AM
>>
>> *To:* Michael Furman
>> *Cc:* keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] Creation UI for new authentication schema
>> configuration.
>>
>> Configuration UI is generated based on what's returned by
>> the getConfigProperties method
>>
>> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com>
>> wrote:
>>
>>> Thanks Stian,
>>>
>>> I will happy for the additional clarifications.
>>>
>>> I have looked in https://keycloak.gitbooks.io/s
>>> erver-developer-guide/content/topics/auth-spi.html but was not able to
>>> find a lot.
>>>
>>> I think that the following is relevant:
>>>
>>>
>>>
>>> *The next few methods define how the Authenticator can be configured. *
>>>
>>> *? *
>>>
>>> *The getConfigProperties() method returns a list of
>>> ProviderConfigProperty objects. These objects define a specific
>>> configuration attribute.*
>>>
>>>
>>>
>>> But according to my understanding the configuration should appear in the
>>> Authenticator configuration UI.
>>>
>>> Therefore, how should I create the UI?
>>>
>>>
>>>
>>> Additional question: will the new Authenticator appear in Authentication
>>> Flows:
>>>
>>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>>> ent/topics/authentication/flows.html
>>>
>>> Will I be able to configure Required / Optional / Disabled for the new
>>> the new Authenticator?
>>>
>>> Thank you in advance for your help.
>>>
>>> Best regards,
>>>
>>>    Michael
>>>
>>>
>>> ------------------------------
>>> *From:* Stian Thorgersen <sthorger at redhat.com>
>>> *Sent:* Thursday, October 27, 2016 9:57 AM
>>> *To:* Michael Furman
>>> *Cc:* keycloak-user at lists.jboss.org
>>> *Subject:* Re: [keycloak-user] Creation UI for new authentication
>>> schema configuration.
>>>
>>> We don't support that directly so you would have to develop your own
>>> custom authenticator for it. The doc you linked describes how to do that.
>>>
>>> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com>
>>> wrote:
>>>
>>>> Hi all,
>>>> I want to add support for the new authentication schema.
>>>> How can I add UI for new authentication schema configuration?
>>>> For example, I want to add the TACACS authentication schema.
>>>> Therefore I need to configure the TACACS server IP and the secret.
>>>> May be I have missed but I can not find it here:
>>>> https://keycloak.gitbooks.io/server-developer-guide/content/
>>>> topics/auth-spi.html
>>>>
>>>> Thank you in advance for your help.
>>>> Best regards,
>>>>    Michael
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From sthorger at redhat.com  Fri Nov  4 01:52:33 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:52:33 +0100
Subject: [keycloak-user] Creation UI for new authentication schema
	configuration.
In-Reply-To: <CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
Message-ID: <CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>

FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken

On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com> wrote:

> I don't know what you mean by it is not recognized by Keycloak. Did you
> follow the steps in the example to register it? See https://github.com/
> keycloak/keycloak/blob/master/examples/providers/authenticator/README.md
>
> On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com>
> wrote:
>
>> Hi,
>>
>> Unfortunately I can not deploy the example authentication provider to
>> Keycloak
>>
>>
>> Who can help?
>>
>>
>> I have compiled authenticator-required-action-example from the examples.
>> I copied the provider jar into the ?standalone/configuration/providers?
>> directory according to the document:
>> https://keycloak.gitbooks.io/server-developer-guide/content/
>> v/2.2/topics/auth-spi.html
>>
>> Unfortunately Keycloak does not recognize the provider.
>> Than I have copied it to the ?providers? folder under the root Keycloak
>> folder.
>> Also without success .
>>
>>
>> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>>
>>
>> Best regards,
>>
>>    Michael
>>
>>
>>
>> ------------------------------
>> *From:* Stian Thorgersen <sthorger at redhat.com>
>> *Sent:* Tuesday, November 1, 2016 11:08 AM
>>
>> *To:* Michael Furman
>> *Cc:* keycloak-user at lists.jboss.org
>> *Subject:* Re: [keycloak-user] Creation UI for new authentication schema
>> configuration.
>>
>> On the config for the authenticator. Please look at the docs and also the
>> example it explains this pretty well.
>>
>> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com>
>> wrote:
>>
>>> Thanks,
>>>
>>> Where I will see the generated UI?
>>> On the authentication page?
>>> http://localhost:8080/auth/admin/master/console/#/realms/mas
>>> ter/authentication/flows/browser
>>>
>>> Also, can I add / update the authenticator configuration via REST API?
>>>
>>> http://www.keycloak.org/docs/rest-api/#_update_authenticator
>>> _configuration
>>>
>>> Thank you in advance for your help.
>>>
>>> Best regards,
>>>
>>>    Michael
>>>
>>> ------------------------------
>>> *From:* Stian Thorgersen <sthorger at redhat.com>
>>> *Sent:* Monday, October 31, 2016 8:00 AM
>>>
>>> *To:* Michael Furman
>>> *Cc:* keycloak-user at lists.jboss.org
>>> *Subject:* Re: [keycloak-user] Creation UI for new authentication
>>> schema configuration.
>>>
>>> Configuration UI is generated based on what's returned by
>>> the getConfigProperties method
>>>
>>> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com>
>>> wrote:
>>>
>>>> Thanks Stian,
>>>>
>>>> I will happy for the additional clarifications.
>>>>
>>>> I have looked in https://keycloak.gitbooks.io/s
>>>> erver-developer-guide/content/topics/auth-spi.html but was not able to
>>>> find a lot.
>>>>
>>>> I think that the following is relevant:
>>>>
>>>>
>>>>
>>>> *The next few methods define how the Authenticator can be configured. *
>>>>
>>>> *? *
>>>>
>>>> *The getConfigProperties() method returns a list of
>>>> ProviderConfigProperty objects. These objects define a specific
>>>> configuration attribute.*
>>>>
>>>>
>>>>
>>>> But according to my understanding the configuration should appear in
>>>> the Authenticator configuration UI.
>>>>
>>>> Therefore, how should I create the UI?
>>>>
>>>>
>>>>
>>>> Additional question: will the new Authenticator appear in
>>>> Authentication Flows:
>>>>
>>>> https://keycloak.gitbooks.io/server-adminstration-guide/cont
>>>> ent/topics/authentication/flows.html
>>>>
>>>> Will I be able to configure Required / Optional / Disabled for the new
>>>> the new Authenticator?
>>>>
>>>> Thank you in advance for your help.
>>>>
>>>> Best regards,
>>>>
>>>>    Michael
>>>>
>>>>
>>>> ------------------------------
>>>> *From:* Stian Thorgersen <sthorger at redhat.com>
>>>> *Sent:* Thursday, October 27, 2016 9:57 AM
>>>> *To:* Michael Furman
>>>> *Cc:* keycloak-user at lists.jboss.org
>>>> *Subject:* Re: [keycloak-user] Creation UI for new authentication
>>>> schema configuration.
>>>>
>>>> We don't support that directly so you would have to develop your own
>>>> custom authenticator for it. The doc you linked describes how to do that.
>>>>
>>>> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com
>>>> > wrote:
>>>>
>>>>> Hi all,
>>>>> I want to add support for the new authentication schema.
>>>>> How can I add UI for new authentication schema configuration?
>>>>> For example, I want to add the TACACS authentication schema.
>>>>> Therefore I need to configure the TACACS server IP and the secret.
>>>>> May be I have missed but I can not find it here:
>>>>> https://keycloak.gitbooks.io/server-developer-guide/content/
>>>>> topics/auth-spi.html
>>>>>
>>>>> Thank you in advance for your help.
>>>>> Best regards,
>>>>>    Michael
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From sthorger at redhat.com  Fri Nov  4 01:58:40 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 4 Nov 2016 06:58:40 +0100
Subject: [keycloak-user] Losing some sessions during clustering
In-Reply-To: <CALr83iAMe7hAwngM03zc8SzKnh3qfJAwNxzwSTqrkbiyBSttrQ@mail.gmail.com>
References: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
	<CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>
	<CALr83iBCBRPtMNVMsu+HrAkfgnN8uz0cPUJa8Y5W=3N8WOfMTA@mail.gmail.com>
	<CALr83iAMe7hAwngM03zc8SzKnh3qfJAwNxzwSTqrkbiyBSttrQ@mail.gmail.com>
Message-ID: <CAJgngAe_ankuOL9iqtdizTA53n=EZqdGe41efLHsC8LeT0ftZw@mail.gmail.com>

Do you wait until the nodes are fully started or just 200 from admin
console? You need to wait for Infinispan to successfully transfer the state.

Try giving it at least a couple min before killing nodes.

Have you checked that clustering is working properly and that nodes see
each other?

We don't support Postgres for session storage, so not sure how you are
planning to switch to that.

On 3 November 2016 at 22:23, Chris Hairfield <chairfield at gmail.com> wrote:

> No dice, sadly. Here's our latest test:
>
> 1. Set owners to 2 for all 3 caches
> 2. Start 2 nodes
> 3. Perform a rolling release
>     a. Start node 3
>     b. Wait for node 3 to respond 200 on admin console
>     c. Kill node 1
>     d. Start node 4
>     e. Wait for node 4 to respond 200 on admin console
>     f.Kill node 2
>
> We lost sessions, even though there were always at least 2 nodes fully
> online. *(To be explicit, this was judged by signing into the admin
> console. Is this a fair test? The # of sessions reported by Keycloak stayed
> the same...)*
>
> We're considering switching over from Infinispan to Postgres for session
> storage, at least to see if it works. Still, any additional tips or
> thoughts would be great.
>
> Thanks so far,
> Chris
>
> On Thu, Nov 3, 2016 at 11:36 AM Chris Hairfield <chairfield at gmail.com>
> wrote:
>
> > Many thanks, John. This seems very likely. If there's no response from
> our
> > part, you may assume it's fixed.
> >
> > Cheers,
> > Chris
> >
> > On Thu, Nov 3, 2016 at 11:26 AM John Bartko <
> john.bartko at drillinginfo.com>
> > wrote:
> >
> > It sounds like sessions distributed-cache is not being replicated.
> >
> > From the Install/Config documentation on cache replication
> > <https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/v/2.3/topics/cache/replication.html>:
> > "By default, Keycloak only specifies one owner for data. So if that one
> > node goes down that data is lost. This usually means that users will be
> > logged out and will have to login again."
> >
> > jboss-cli snippet:
> > /subsystem=infinispan/cache-container=keycloak/
> distributed-cache=sessions:write-attribute(name=owners,
> > value=2)
> >
> > Hope that helps,
> > -John Bartko
> >
> > On Thu, Nov 3, 2016 at 12:08 PM, Chris Hairfield <chairfield at gmail.com>
> > wrote:
> >
> > Hello Keycloak users,
> >
> > We're seeing strange behavior with the session handling when starting up
> a
> > new node. Keycloak doesn't retain all sessions. Here's our experiment:
> >
> >    1. start with 1 node containing a few dozen sessions
> >    2. start node 2 (nodes clustered via JGroups Ping table + infinispan)
> >    3. wait for 10 minutes
> >    4. stop node 1
> >
> > End result: *some* of the clients connected are forced to log back in.
> Most
> >
> >
> > sessions remain.
> >
> > We're still investigating, so I cannot infer beyond this point at the
> > moment. I'm simply curious whether anyone knows the following:
> >
> >    - are *all* sessions meant to be migrated to new nodes?
> >    - how long does it take to migrate sessions?
> >    - does a new node wait until sessions are migrated before it enables
> the
> >    admin interface?
> >    - is there any logic to prune sessions on clustering?
> >
> >
> >
> > Any thoughts would be greatly appreciated.
> >
> > Thanks,
> > Chris
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From thomas.darimont at googlemail.com  Fri Nov  4 02:14:44 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 4 Nov 2016 07:14:44 +0100
Subject: [keycloak-user] Losing some sessions during clustering
In-Reply-To: <CAJgngAe_ankuOL9iqtdizTA53n=EZqdGe41efLHsC8LeT0ftZw@mail.gmail.com>
References: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
	<CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>
	<CALr83iBCBRPtMNVMsu+HrAkfgnN8uz0cPUJa8Y5W=3N8WOfMTA@mail.gmail.com>
	<CALr83iAMe7hAwngM03zc8SzKnh3qfJAwNxzwSTqrkbiyBSttrQ@mail.gmail.com>
	<CAJgngAe_ankuOL9iqtdizTA53n=EZqdGe41efLHsC8LeT0ftZw@mail.gmail.com>
Message-ID: <CAK-7U1gS1OZPJg-4sj9=qYrEgLKPxW6znJ_6_zNmzZrnaAdmUw@mail.gmail.com>

Is there a way in Keycloak to detect if Session state has been retrieved by
a Keycloak node?
Perhaps Keycloak could listen for the first replikation event and change a
flag based on that...

This could then be used by a health-check which could be accessed via a
load-balancer like ha-proxy or nginx.

Cheers,
Thomas

Am 04.11.2016 6:59 vorm. schrieb "Stian Thorgersen" <sthorger at redhat.com>:

> Do you wait until the nodes are fully started or just 200 from admin
> console? You need to wait for Infinispan to successfully transfer the
> state.
>
> Try giving it at least a couple min before killing nodes.
>
> Have you checked that clustering is working properly and that nodes see
> each other?
>
> We don't support Postgres for session storage, so not sure how you are
> planning to switch to that.
>
> On 3 November 2016 at 22:23, Chris Hairfield <chairfield at gmail.com> wrote:
>
> > No dice, sadly. Here's our latest test:
> >
> > 1. Set owners to 2 for all 3 caches
> > 2. Start 2 nodes
> > 3. Perform a rolling release
> >     a. Start node 3
> >     b. Wait for node 3 to respond 200 on admin console
> >     c. Kill node 1
> >     d. Start node 4
> >     e. Wait for node 4 to respond 200 on admin console
> >     f.Kill node 2
> >
> > We lost sessions, even though there were always at least 2 nodes fully
> > online. *(To be explicit, this was judged by signing into the admin
> > console. Is this a fair test? The # of sessions reported by Keycloak
> stayed
> > the same...)*
> >
> > We're considering switching over from Infinispan to Postgres for session
> > storage, at least to see if it works. Still, any additional tips or
> > thoughts would be great.
> >
> > Thanks so far,
> > Chris
> >
> > On Thu, Nov 3, 2016 at 11:36 AM Chris Hairfield <chairfield at gmail.com>
> > wrote:
> >
> > > Many thanks, John. This seems very likely. If there's no response from
> > our
> > > part, you may assume it's fixed.
> > >
> > > Cheers,
> > > Chris
> > >
> > > On Thu, Nov 3, 2016 at 11:26 AM John Bartko <
> > john.bartko at drillinginfo.com>
> > > wrote:
> > >
> > > It sounds like sessions distributed-cache is not being replicated.
> > >
> > > From the Install/Config documentation on cache replication
> > > <https://keycloak.gitbooks.io/server-installation-and-
> > configuration/content/v/2.3/topics/cache/replication.html>:
> > > "By default, Keycloak only specifies one owner for data. So if that one
> > > node goes down that data is lost. This usually means that users will be
> > > logged out and will have to login again."
> > >
> > > jboss-cli snippet:
> > > /subsystem=infinispan/cache-container=keycloak/
> > distributed-cache=sessions:write-attribute(name=owners,
> > > value=2)
> > >
> > > Hope that helps,
> > > -John Bartko
> > >
> > > On Thu, Nov 3, 2016 at 12:08 PM, Chris Hairfield <chairfield at gmail.com
> >
> > > wrote:
> > >
> > > Hello Keycloak users,
> > >
> > > We're seeing strange behavior with the session handling when starting
> up
> > a
> > > new node. Keycloak doesn't retain all sessions. Here's our experiment:
> > >
> > >    1. start with 1 node containing a few dozen sessions
> > >    2. start node 2 (nodes clustered via JGroups Ping table +
> infinispan)
> > >    3. wait for 10 minutes
> > >    4. stop node 1
> > >
> > > End result: *some* of the clients connected are forced to log back in.
> > Most
> > >
> > >
> > > sessions remain.
> > >
> > > We're still investigating, so I cannot infer beyond this point at the
> > > moment. I'm simply curious whether anyone knows the following:
> > >
> > >    - are *all* sessions meant to be migrated to new nodes?
> > >    - how long does it take to migrate sessions?
> > >    - does a new node wait until sessions are migrated before it enables
> > the
> > >    admin interface?
> > >    - is there any logic to prune sessions on clustering?
> > >
> > >
> > >
> > > Any thoughts would be greatly appreciated.
> > >
> > > Thanks,
> > > Chris
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > >
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chris.savory at edlogics.com  Fri Nov  4 02:16:20 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Fri, 4 Nov 2016 06:16:20 +0000
Subject: [keycloak-user] Having difficulty logging out in a 2 client
 scenario
In-Reply-To: <CAJgngAdtji=S+4CzU4TbtkN1rxVTJhdKhcmgNPchtzwH4iAveg@mail.gmail.com>
References: <692F2625-FAA8-4931-B0C2-50889222582C@edlogics.com>
	<CAJgngAdtji=S+4CzU4TbtkN1rxVTJhdKhcmgNPchtzwH4iAveg@mail.gmail.com>
Message-ID: <D76E8015-8B7C-401B-A698-0DE21E7CA08A@edlogics.com>

Stian,

Currently it is both services and a web app.  It?s a monolith in its current state.  We have plans to break apart the API services at some point, but that is in the future. 

--
Christopher Savory
Software Engineer | EdLogics
?



From: Stian Thorgersen <sthorger at redhat.com>
Reply-To: "stian at redhat.com" <stian at redhat.com>
Date: Friday, November 4, 2016 at 12:18 AM
To: Chris Savory <chris.savory at edlogics.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>, Danilo Bonilla <danilo.bonilla at edlogics.com>, David Hartfield <david.hartfield at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
Subject: Re: [keycloak-user] Having difficulty logging out in a 2 client scenario

Sounds like the Spring Security Adapter is services and not a web app? If so it shouldn't deal with logins and logouts at all. It should be configured as a bearer-only client.

On 1 November 2016 at 00:11, Chris Savory <chris.savory at edlogics.com> wrote:
Our application has 2 clients:
1. A Confidential Client that uses the Spring Security Adapter
2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.

Everything between the two is working fine until I try to logout under certain conditions.

Logout works fine if I first: deep link into a protected page in my app.? The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1.? If I logout under this scenario via the SpringSecurity adapter it works fine.

In Scenario #2 I first hit an Angular page in my app.? Then I log in from the JS Adapter in client #2.? Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat.? When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token.? I can also see that the token was issued for client #2.? When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout.

I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via ?window.location = keycloak.createLogoutUrl({ redirectUri: ?/site-url?) }).? This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I?m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder.

Any advice on how to proceed from either of these two scenarios?

--
Christopher Savory
Software Engineer | EdLogics



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





From teknodjs at gmail.com  Fri Nov  4 06:18:54 2016
From: teknodjs at gmail.com (Padmaka Wijaygoonawardena)
Date: Fri, 4 Nov 2016 15:48:54 +0530
Subject: [keycloak-user] Performance lag in client role creation and
	retrieval
In-Reply-To: <CAJgngAcC57JB3zLvUj+hYYZD2WLmQ8+jPy-ZzVLSi4yDmt16hw@mail.gmail.com>
References: <CACrrGYip-_Gx4A-pc-qZ_VkciFuF+CWGa8Ce-YbxnOQ_J615xQ@mail.gmail.com>
	<CAJgngAcC57JB3zLvUj+hYYZD2WLmQ8+jPy-ZzVLSi4yDmt16hw@mail.gmail.com>
Message-ID: <CACrrGYjfFnPh_xUcX9SaFV+O8K46-L7ww9FaWeNLU15bbNM7pQ@mail.gmail.com>

Hi,

Thanks for replying I created a ticket here [1].

Cheers,
Padmaka

[1] - https://issues.jboss.org/browse/KEYCLOAK-3863

On Fri, Nov 4, 2016 at 11:01 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> We're actually currently looking at some issues around this. Please create
> a JIRA and we'll make sure your case is checked as well.
>
> Hopefully this will be solved in the upcoming 2.4 release.
>
> On 3 November 2016 at 12:16, Padmaka Wijaygoonawardena <teknodjs at gmail.com
> > wrote:
>
>> Hi,
>>
>> I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm
>> using has 2 Keycloak nodes and around 4000 client roles for one client.
>> the
>> process I go through for adding is as follows:
>>
>>
>>    1. GET call to check whether the role already exists. (takes around
>>    2000ms)
>>    2. POST call to create the new client role. (takes around 10000ms)
>>    3. GET call to get the newly created client role(Since the create role
>>    call doesn't send the full client role in the response body). (takes
>> around
>>    10000ms)
>>
>> The Keycloak version I used earlier was 1.9.0 with that version this
>> process worked fine with one call taking around 700ms on average.
>>
>> So as shown above this is a huge performance lag. With further
>> investigation I found the following points
>>
>>
>>    1. When using only one Keycloak node this problem doesn't appear.
>>    Therefore it should be some issue with infinispan cache.
>>    2. When I remove the get calls and only send the create calls then the
>>    calls return in 2000ms in average.
>>    3. This lag only appears when executing a get role call soon after
>>    creating a client role.
>>
>> I double checked the changes for 2.3.0 [1] since there is nothing said
>> about cache or related issues I raised this issue.
>>
>> Any advice or fix would be highly appreciated. Thanks in advance.
>>
>> [1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html
>>
>> Cheers,
>> Padmaka.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From eric.matte at bionxinternational.com  Fri Nov  4 11:14:05 2016
From: eric.matte at bionxinternational.com (Eric Matte)
Date: Fri, 4 Nov 2016 15:14:05 +0000
Subject: [keycloak-user] Infinite loop on one of our service's home page
Message-ID: <MWHPR06MB28784678595BC1492F6A1ABAE7A20@MWHPR06MB2878.namprd06.prod.outlook.com>

Hi,

We are running Keycloak in production on one of our servers. For now, Keycloak is used to connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.
Do you have any idea what it can be?

We are using Keycloak version 2.2.1 FINAL.

Thank you,

Eric

Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.

Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. Communication by email is not a secure medium and, as part of the transmission process, this message may be copied to servers operated by third parties while in transit. If you received this message in error, please immediately contact the sender by reply email and delete it from your computer, including any attachments.

From eric.matte at bionxinternational.com  Fri Nov  4 11:18:02 2016
From: eric.matte at bionxinternational.com (Eric Matte)
Date: Fri, 4 Nov 2016 15:18:02 +0000
Subject: [keycloak-user] Infinite loop on one of our service's home page
Message-ID: <MWHPR06MB2878F3A24D434B076DAF1462E7A20@MWHPR06MB2878.namprd06.prod.outlook.com>

Hi,

We are running Keycloak in production on one of our servers. For now, Keycloak is used to connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some localhost ports, and service #2 on an external ip address.
When we authenticate on service #1, we have no problem, but when we authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.
Do you have any idea what it can be?

We are using Keycloak version 2.2.1 FINAL.

Thank you,

Eric

Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.

Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. Communication by email is not a secure medium and, as part of the transmission process, this message may be copied to servers operated by third parties while in transit. If you received this message in error, please immediately contact the sender by reply email and delete it from your computer, including any attachments.

From ian.lachance at bionxinternational.com  Fri Nov  4 11:19:32 2016
From: ian.lachance at bionxinternational.com (Ian Lachance)
Date: Fri, 4 Nov 2016 15:19:32 +0000
Subject: [keycloak-user] Infinite loop on one of our service's home page
Message-ID: <CO2PR06MB524AE25714BE0E2A7B51880FAA20@CO2PR06MB524.namprd06.prod.outlook.com>

Hi,

We are running Keycloak in production on one of our servers. For now, Keycloak is used to connect to two of our services, both of them acceded by HTTPS.
One of them (service #1) is in the same server as Keycloak, and the other (service #2) is on another server.
We use NGINX to proxy pass to the three services: Keycloak and service #1 on some localhost ports, and service #2 on an external ip address.

When we authenticate on service #1, we have no problem, but when we authenticate on service #2, an infinite loop occurs on the home page.
When we look at the Keycloak Adapter on service #2, we can see the Keycloak object with the data (user, token, etc.), but the page refresh automatically.
When the page refresh, it's not caused by a logout call on our Javascript code.

Do you have any idea what it can be?
We are using Keycloak version 2.2.1 FINAL.

Thank you,

Ian

Nothing in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.

Confidentiality Note: This message is intended only for the person or entity to which it is addressed. It may contain confidential and/or privileged material. Any review, transmission, dissemination or other use, or taking of any action in reliance upon this message by persons or entities other than the intended recipient is strictly prohibited and may be unlawful. Communication by email is not a secure medium and, as part of the transmission process, this message may be copied to servers operated by third parties while in transit. If you received this message in error, please immediately contact the sender by reply email and delete it from your computer, including any attachments.

From thomas.darimont at googlemail.com  Fri Nov  4 14:10:35 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Fri, 4 Nov 2016 19:10:35 +0100
Subject: [keycloak-user] Infinite loop on one of our service's home page
In-Reply-To: <CO2PR06MB524AE25714BE0E2A7B51880FAA20@CO2PR06MB524.namprd06.prod.outlook.com>
References: <CO2PR06MB524AE25714BE0E2A7B51880FAA20@CO2PR06MB524.namprd06.prod.outlook.com>
Message-ID: <CAK-7U1j7GB+q_KzVS8d2gCfZbSgMtD7zmWYvY2VcYTmOZuxcaw@mail.gmail.com>

Hello,

do you see any errors in the keycloak logs?

I experienced the same error multiple times - reasons were either wrong
proxy configuration or wrong keycloak.json or database connectivity
problems on a load-balanced second Keycloak instance.

Since the service on localhost is not affected it could be that your proxy
configuration is wrong.

If you do ssl-termination in the proxy make sure that you set the right
proxy headers:

(from an older mailing list thread)

proxy_pass http://your-upstream-here;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https; # <- only set this if you?re
using SSL

Also remember to configure proxy-address forwarding in undertow:

echo SETUP: Configure Undertow Proxy-Address-Forwarding for use behind
Reverse Proxy

/subsystem=undertow/server=default-server/http-listener=default/:write-attribute(name=proxy-address-forwarding,value=true)

For additional debugging you could also configure undertow in Wildfly to
dump all requests to the log

$KEYCLOAK_HOME/bin/jboss-cli.sh -c

/subsystem=undertow/configuration=filter/custom-filter=request-dumper:add(class-name=io.undertow.server.handlers.RequestDumpingHandler,
module=io.undertow.core)

/subsystem=undertow/server=default-server/host=default-host/filter-ref=request-dumper:add

/:reload

Which ssl-mode did you configure in Keycloak admin-console?
Keycloak handles certain IPs differently when set to "ssl-mode: external".
This could explain why
See "ssl-mode" at: https://keycloak.gitbooks.io/server-adminstration-guide/
content/v/2.3/topics/realms/ssl.html

Try setting "ssl-required: none" in keycloak.json on the second service (if
internal and after ssl termination...):
https://keycloak.gitbooks.io/securing-client-applications-gu
ide/content/v/2.3/topics/oidc/java/java-adapter-config.html

Cheers,
Thomas

Am 04.11.2016 4:20 nachm. schrieb "Ian Lachance" <
ian.lachance at bionxinternational.com>:

> Hi,
>
> We are running Keycloak in production on one of our servers. For now,
> Keycloak is used to connect to two of our services, both of them acceded by
> HTTPS.
> One of them (service #1) is in the same server as Keycloak, and the other
> (service #2) is on another server.
> We use NGINX to proxy pass to the three services: Keycloak and service #1
> on some localhost ports, and service #2 on an external ip address.
>
> When we authenticate on service #1, we have no problem, but when we
> authenticate on service #2, an infinite loop occurs on the home page.
> When we look at the Keycloak Adapter on service #2, we can see the
> Keycloak object with the data (user, token, etc.), but the page refresh
> automatically.
> When the page refresh, it's not caused by a logout call on our Javascript
> code.
>
> Do you have any idea what it can be?
> We are using Keycloak version 2.2.1 FINAL.
>
> Thank you,
>
> Ian
>
> Nothing in this message is intended to constitute an electronic signature
> unless a specific statement to the contrary is included in this message.
>
> Confidentiality Note: This message is intended only for the person or
> entity to which it is addressed. It may contain confidential and/or
> privileged material. Any review, transmission, dissemination or other use,
> or taking of any action in reliance upon this message by persons or
> entities other than the intended recipient is strictly prohibited and may
> be unlawful. Communication by email is not a secure medium and, as part of
> the transmission process, this message may be copied to servers operated by
> third parties while in transit. If you received this message in error,
> please immediately contact the sender by reply email and delete it from
> your computer, including any attachments.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From chris.savory at edlogics.com  Fri Nov  4 17:14:08 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Fri, 4 Nov 2016 21:14:08 +0000
Subject: [keycloak-user] Having difficulty logging out in a 2 client
 scenario
In-Reply-To: <D76E8015-8B7C-401B-A698-0DE21E7CA08A@edlogics.com>
References: <692F2625-FAA8-4931-B0C2-50889222582C@edlogics.com>
	<CAJgngAdtji=S+4CzU4TbtkN1rxVTJhdKhcmgNPchtzwH4iAveg@mail.gmail.com>
	<D76E8015-8B7C-401B-A698-0DE21E7CA08A@edlogics.com>
Message-ID: <E7F4D75C-D018-400D-B7B8-8D7921E700F7@edlogics.com>

I have a couple of questions.

       1. Does it make sense to create a RefreshableKeycloakSecurityContext with a null refreshToken?  Seems like this defeats the purpose of that object since it is not refreshable in that state.
       2. I?m looking at SpringSecurityRequestAuthenticator/RequestAuthenticator and it looks like an OAuth token is treated differently than a Bearer token.  OAuth Tokens are validated back against the keycloak server and Bearer tokens are not.  Is there a reason for this?   I thought this would be one of the tenants of SSO where I could take a Bearer token and be logged in on another client.  But that doesn?t seem possible if that token expires and it can?t be refreshed. 
       3. Is it possible for me to:
       a. extend the Keycloak Spring Security adapter to detect a token w/o a refreshToken 
       b. then go to the keycloak server and get one
       c. save the updated RefreshableKeycloakSecurityContext back to the Spring Security Context. 
	4. I?m curious why does SpringSecurityRequestAuthenticator.completeBearerAuthentication add the KeycloakAuthenticationToken to the SecurityContextHolder, but the SpringSecurityRequestAuthenticator.completeOAuthAuthentication does not?  The reason I ask is essentially by adding to the holder, it?s going to be added to the session by SpringSecurity in Spring?s SecurityContextPersistenceFilter, which means that Bearer token will persist across requests.  Is that the intention? 

--
Christopher Savory
Software Engineer | EdLogics

On 11/4/16, 1:16 AM, "Chris Savory" <chris.savory at edlogics.com> wrote:

    Stian,
    
    Currently it is both services and a web app.  It?s a monolith in its current state.  We have plans to break apart the API services at some point, but that is in the future. 
    
    --
    Christopher Savory
    Software Engineer | EdLogics
     
    
    
    
    From: Stian Thorgersen <sthorger at redhat.com>
    Reply-To: "stian at redhat.com" <stian at redhat.com>
    Date: Friday, November 4, 2016 at 12:18 AM
    To: Chris Savory <chris.savory at edlogics.com>
    Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>, Danilo Bonilla <danilo.bonilla at edlogics.com>, David Hartfield <david.hartfield at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
    Subject: Re: [keycloak-user] Having difficulty logging out in a 2 client scenario
    
    Sounds like the Spring Security Adapter is services and not a web app? If so it shouldn't deal with logins and logouts at all. It should be configured as a bearer-only client.
    
    On 1 November 2016 at 00:11, Chris Savory <chris.savory at edlogics.com> wrote:
    Our application has 2 clients:
    1. A Confidential Client that uses the Spring Security Adapter
    2. A Public Client that uses the JavaScript Adapter for an Angular SPA app.
    
    Everything between the two is working fine until I try to logout under certain conditions.
    
    Logout works fine if I first: deep link into a protected page in my app.  The SpringSecurity adapter for client# 1 redirects me to Keycloak. Keycloack then logs me in and sends me back to my app where my token was issued for client #1.  If I logout under this scenario via the SpringSecurity adapter it works fine.
    
    In Scenario #2 I first hit an Angular page in my app.  Then I log in from the JS Adapter in client #2.  Then through a Rest call to my Spring App (which a Bearer token is passed) a java session is established on Tomcat.  When I put some break points in the Keycloak Adapter classes I can see that the KeycloakToken only contains the token in this scenario, but not the refresh token.  I can also see that the token was issued for client #2.  When I try to logout, the adapter sends a request to Keycloak with an empty refresh_token and keycloak returns a 400 error, thus nullifying the logout.
    
    I also tried another scenario where use the JS Adapter get the logout URL and logout directly to Keycloak via ?window.location = keycloak.createLogoutUrl({ redirectUri: ?/site-url?) }).  This actually logs out the user from all clients (which is what I want), but the problem here is on the next request to the Spring app I think there is still an HttpSession alive and I?m running into the check in SpringSecurityTokenStore.saveAccountInfo where it throws an exception because there is already an (old) token inside the SecurityContextHolder.
    
    Any advice on how to proceed from either of these two scenarios?
    
    --
    Christopher Savory
    Software Engineer | EdLogics
    
    
    
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    
    
    
    





From pygator at linux.com  Sat Nov  5 09:36:33 2016
From: pygator at linux.com (Ricardo Chu)
Date: Sat, 5 Nov 2016 09:36:33 -0400
Subject: [keycloak-user] Keycloak with EZproxy
In-Reply-To: <CAJgngAcjWJiyPSftd+npttdUiKNqxWsYpWh8_kypnAY7iNhwNQ@mail.gmail.com>
References: <DM5PR08MB2428E4C9797AB3D908A6C2A9B8E20@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAdhkxKf_wfCE2ToBBx9vXts9Vg_XzToX3SkwZTtohdDJw@mail.gmail.com>
	<DM5PR08MB2428FF5C2B55A7D83A4B431CB8C80@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAcjWJiyPSftd+npttdUiKNqxWsYpWh8_kypnAY7iNhwNQ@mail.gmail.com>
Message-ID: <CAN_wU+Ysrf+2MxJCKxsxU1t1uS6Ex4rgsZeQ1=_KydwKCsCZow@mail.gmail.com>

Here is the trace output of this problem:
https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem

This log includes the startup of keycloak and the login attempt.  The login
fails and the message "invalid requester" is displayed in the browser..

The trace shows the "Invalid signature on document" message.
Line 5211 says "Cannot find Signature element".

Any idea what may cause this?

Rick

On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> "XML External Entity switches are not supported.  You may get XML injection
> vulnerabilities." is just a warning and shouldn't have anything to do with
> the issue.
>
> Try enabling trace logging for org.keycloak and see if you get any more
> details.
>
> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>
> > Thanks.
> >
> >
> >
> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
> > following log entries on the Keycloak server:
> >
> >
> >
> > 2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default task-1)
> > XML External Entity switches are not supported.  You may get XML
> injection
> > vulnerabilities.
> >
> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
> > (default task-1) request validation failed: org.keycloak.common.
> VerificationException:
> > Invalid signature on document
> >
> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
> > verifyDocumentSignature(SamlProtocolUtils.java:57)
> >
> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
> > verifyDocumentSignature(SamlProtocolUtils.java:50)
> >
> >                 at org.keycloak.protocol.saml.SamlService$
> > PostBindingProtocol.verifySignature(SamlService.java:405)
> >
> >                 at org.keycloak.protocol.saml.
> SamlService$BindingProtocol.
> > handleSamlRequest(SamlService.java:186)
> >
> >                 at org.keycloak.protocol.saml.SamlService$
> > PostBindingProtocol.execute(SamlService.java:428)
> >
> >                 at org.keycloak.protocol.saml.SamlService.postBinding(
> > SamlService.java:504)
> >
> >                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> >
> >                 at sun.reflect.NativeMethodAccessorImpl.invoke(
> > NativeMethodAccessorImpl.java:62)
> >
> >                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> > DelegatingMethodAccessorImpl.java:43)
> >
> >                 at java.lang.reflect.Method.invoke(Method.java:498)
> >
> >                 at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> > MethodInjectorImpl.java:139)
> >
> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.
> > invokeOnTarget(ResourceMethodInvoker.java:295)
> >
> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> > ResourceMethodInvoker.java:249)
> >
> >                 at org.jboss.resteasy.core.ResourceLocatorInvoker.
> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> >
> >                 at org.jboss.resteasy.core.
> ResourceLocatorInvoker.invoke(
> > ResourceLocatorInvoker.java:101)
> >
> >                 at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> > SynchronousDispatcher.java:395)
> >
> >                 at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> > SynchronousDispatcher.java:202)
> >
> >                 at org.jboss.resteasy.plugins.server.servlet.
> > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> >
> >                 at org.jboss.resteasy.plugins.server.servlet.
> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >
> >                 at org.jboss.resteasy.plugins.server.servlet.
> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >
> >                 at javax.servlet.http.HttpServlet.service(
> > HttpServlet.java:790)
> >
> >                 at io.undertow.servlet.handlers.
> > ServletHandler.handleRequest(ServletHandler.java:85)
> >
> >                 at io.undertow.servlet.handlers.
> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >
> >                 at org.keycloak.services.filters.
> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
> > java:90)
> >
> >                 at io.undertow.servlet.core.ManagedFilter.doFilter(
> > ManagedFilter.java:60)
> >
> >                 at io.undertow.servlet.handlers.
> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >
> >                 at io.undertow.servlet.handlers.
> > FilterHandler.handleRequest(FilterHandler.java:84)
> >
> >                 at io.undertow.servlet.handlers.security.
> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
> > java:62)
> >
> >                 at io.undertow.servlet.handlers.
> ServletDispatchingHandler.
> > handleRequest(ServletDispatchingHandler.java:36)
> >
> >                 at org.wildfly.extension.undertow.security.
> > SecurityContextAssociationHandler.handleRequest(
> > SecurityContextAssociationHandler.java:78)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.servlet.handlers.security.
> > SSLInformationAssociationHandler.handleRequest(
> > SSLInformationAssociationHandler.java:131)
> >
> >                 at io.undertow.servlet.handlers.security.
> > ServletAuthenticationCallHandler.handleRequest(
> > ServletAuthenticationCallHandler.java:57)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.security.handlers.
> > AbstractConfidentialityHandler.handleRequest(
> > AbstractConfidentialityHandler.java:46)
> >
> >                 at io.undertow.servlet.handlers.security.
> > ServletConfidentialityConstraintHandler.handleRequest(
> > ServletConfidentialityConstraintHandler.java:64)
> >
> >                 at io.undertow.security.handlers.
> > AuthenticationMechanismsHandler.handleRequest(
> > AuthenticationMechanismsHandler.java:60)
> >
> >                 at io.undertow.servlet.handlers.security.
> > CachedAuthenticatedSessionHandler.handleRequest(
> > CachedAuthenticatedSessionHandler.java:77)
> >
> >                 at io.undertow.security.handlers.
> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
> > java:50)
> >
> >                 at io.undertow.security.handlers.
> > AbstractSecurityContextAssociationHandler.handleRequest(
> > AbstractSecurityContextAssociationHandler.java:43)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at org.wildfly.extension.undertow.security.jacc.
> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.server.handlers.PredicateHandler.
> > handleRequest(PredicateHandler.java:43)
> >
> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
> > handleFirstRequest(ServletInitialHandler.java:284)
> >
> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
> > dispatchRequest(ServletInitialHandler.java:263)
> >
> >                 at io.undertow.servlet.handlers.
> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >
> >                 at io.undertow.servlet.handlers.ServletInitialHandler$1.
> > handleRequest(ServletInitialHandler.java:174)
> >
> >                 at io.undertow.server.Connectors.
> > executeRootHandler(Connectors.java:202)
> >
> >                 at io.undertow.server.HttpServerExchange$1.run(
> > HttpServerExchange.java:793)
> >
> >                 at java.util.concurrent.ThreadPoolExecutor.runWorker(
> > ThreadPoolExecutor.java:1142)
> >
> >                 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
> > ThreadPoolExecutor.java:617)
> >
> >                 at java.lang.Thread.run(Thread.java:745)
> >
> >
> >
> > 2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1)
> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
> > ipAddress=192.168.33.51, error=invalid_signature
> >
> >
> >
> > I have verified that the keys on the client match the server.  Does the
> > XML External Entities have something to do with this?
> >
> >
> >
> > Any help is appreciated.
> >
> >
> >
> > Thanks,
> >
> > Bill
> >
> >
> >
> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
> > *Sent:* Thursday, September 08, 2016 2:31 AM
> > *To:* Bill Kuntz
> > *Cc:* keycloak-user at lists.jboss.org
> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
> >
> >
> >
> > Not sure what they mean about "authentication sequence identical to a
> > standard Shibboleth Identity Provider", but Keycloak is pretty
> configurable
> > so it should be possible to adapt the SAML configuration for the client
> to
> > make it work with EZProxy.
> >
> >
> >
> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
> >
> > Has anyone successfully used Keycloak with OCLC's EZProxy?  We have been
> > experimenting with Keycloak, and have been able to get it working with
> > other SPs, but not EZProxy.
> >
> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
> > systems if and only if that system uses an authentication sequence
> > identical to a standard Shibboleth Identity Provider (IDP)."
> >
> > Thanks,
> > Bill
> >
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From michael_furman at hotmail.com  Sun Nov  6 04:33:15 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Sun, 6 Nov 2016 09:33:15 +0000
Subject: [keycloak-user] Creation UI for new authentication schema
 configuration.
In-Reply-To: <CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>,
	<CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
Message-ID: <AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi Stian,
I was able to add the authentication provider in 2.3.0 but only to the copied flow.

  1.  Why I can not add the execution to the Browser flow?
If I copy the browser flow (and call it Browser2 flow) what flow will be default for the browser authentication?
How can I configure the new Browser2 flow will be default for the browser authentications?
  2.  Will be generated Rest API for the configuration of the authentication provider?
How can I configure via REST API.


Best regards,
   Michael



________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Friday, November 4, 2016 7:52 AM
To: Stian Thorgersen
Cc: Michael Furman; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken

On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>> wrote:
I don't know what you mean by it is not recognized by Keycloak. Did you follow the steps in the example to register it? See https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md

On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:

Hi,

Unfortunately I can not deploy the example authentication provider to Keycloak


Who can help?


I have compiled authenticator-required-action-example from the examples.
I copied the provider jar into the ?standalone/configuration/providers? directory according to the document:
https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html

Unfortunately Keycloak does not recognize the provider.
Than I have copied it to the ?providers? folder under the root Keycloak folder.
Also without success .


I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856


Best regards,

   Michael



________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Tuesday, November 1, 2016 11:08 AM

To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.

On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Thanks,
Where I will see the generated UI?
On the authentication page?
http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
Also, can I add / update the authenticator configuration via REST API?
http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
Thank you in advance for your help.
Best regards,
   Michael


________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Monday, October 31, 2016 8:00 AM

To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Configuration UI is generated based on what's returned by the getConfigProperties method

On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Thanks Stian,
I will happy for the additional clarifications.
I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
I think that the following is relevant:

The next few methods define how the Authenticator can be configured.
?
The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.

But according to my understanding the configuration should appear in the Authenticator configuration UI.
Therefore, how should I create the UI?

Additional question: will the new Authenticator appear in Authentication Flows:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
Thank you in advance for your help.
Best regards,
   Michael


________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Thursday, October 27, 2016 9:57 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.

On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I want to add support for the new authentication schema.
How can I add UI for new authentication schema configuration?
For example, I want to add the TACACS authentication schema.
Therefore I need to configure the TACACS server IP and the secret.
May be I have missed but I can not find it here:
https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html

Thank you in advance for your help.
Best regards,
   Michael

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user






From thomas.darimont at googlemail.com  Sun Nov  6 04:42:27 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Sun, 6 Nov 2016 10:42:27 +0100
Subject: [keycloak-user] Creation UI for new authentication schema
	configuration.
In-Reply-To: <AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
	<CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
	<AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAK-7U1gZwDyeV2q0inAihKnor9HSGeCzJTDBzBpGEwEeh6htvw@mail.gmail.com>

Hello Michael,

if you want to create a custom browser flow by copying the original browser
flow you need to bind your custom browser flow
on the "Authentication -> Bindings" tab where you link your custom browser
flow to be used as "the" browser flow.

Cheers,
Thomas

2016-11-06 10:33 GMT+01:00 Michael Furman <michael_furman at hotmail.com>:

> Hi Stian,
> I was able to add the authentication provider in 2.3.0 but only to the
> copied flow.
>
>   1.  Why I can not add the execution to the Browser flow?
> If I copy the browser flow (and call it Browser2 flow) what flow will be
> default for the browser authentication?
> How can I configure the new Browser2 flow will be default for the browser
> authentications?
>   2.  Will be generated Rest API for the configuration of the
> authentication provider?
> How can I configure via REST API.
>
>
> Best regards,
>    Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com>
> Sent: Friday, November 4, 2016 7:52 AM
> To: Stian Thorgersen
> Cc: Michael Furman; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Creation UI for new authentication schema
> configuration.
>
> FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken
>
> On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:
> sthorger at redhat.com>> wrote:
> I don't know what you mean by it is not recognized by Keycloak. Did you
> follow the steps in the example to register it? See
> https://github.com/keycloak/keycloak/blob/master/examples/
> providers/authenticator/README.md
>
> On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<
> mailto:michael_furman at hotmail.com>> wrote:
>
> Hi,
>
> Unfortunately I can not deploy the example authentication provider to
> Keycloak
>
>
> Who can help?
>
>
> I have compiled authenticator-required-action-example from the examples.
> I copied the provider jar into the ?standalone/configuration/providers?
> directory according to the document:
> https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.2/topics/auth-spi.html
>
> Unfortunately Keycloak does not recognize the provider.
> Than I have copied it to the ?providers? folder under the root Keycloak
> folder.
> Also without success .
>
>
> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>
>
> Best regards,
>
>    Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Tuesday, November 1, 2016 11:08 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema
> configuration.
>
> On the config for the authenticator. Please look at the docs and also the
> example it explains this pretty well.
>
> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<
> mailto:michael_furman at hotmail.com>> wrote:
> Thanks,
> Where I will see the generated UI?
> On the authentication page?
> http://localhost:8080/auth/admin/master/console/#/realms/
> master/authentication/flows/browser
> Also, can I add / update the authenticator configuration via REST API?
> http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
> Thank you in advance for your help.
> Best regards,
>    Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Monday, October 31, 2016 8:00 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema
> configuration.
>
> Configuration UI is generated based on what's returned by the
> getConfigProperties method
>
> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<
> mailto:michael_furman at hotmail.com>> wrote:
> Thanks Stian,
> I will happy for the additional clarifications.
> I have looked in https://keycloak.gitbooks.io/server-developer-guide/
> content/topics/auth-spi.html but was not able to find a lot.
> I think that the following is relevant:
>
> The next few methods define how the Authenticator can be configured.
> ?
> The getConfigProperties() method returns a list of ProviderConfigProperty
> objects. These objects define a specific configuration attribute.
>
> But according to my understanding the configuration should appear in the
> Authenticator configuration UI.
> Therefore, how should I create the UI?
>
> Additional question: will the new Authenticator appear in Authentication
> Flows:
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/authentication/flows.html
> Will I be able to configure Required / Optional / Disabled for the new the
> new Authenticator?
> Thank you in advance for your help.
> Best regards,
>    Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Thursday, October 27, 2016 9:57 AM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema
> configuration.
>
> We don't support that directly so you would have to develop your own
> custom authenticator for it. The doc you linked describes how to do that.
>
> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<
> mailto:michael_furman at hotmail.com>> wrote:
> Hi all,
> I want to add support for the new authentication schema.
> How can I add UI for new authentication schema configuration?
> For example, I want to add the TACACS authentication schema.
> Therefore I need to configure the TACACS server IP and the secret.
> May be I have missed but I can not find it here:
> https://keycloak.gitbooks.io/server-developer-guide/
> content/topics/auth-spi.html
>
> Thank you in advance for your help.
> Best regards,
>    Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From michael_furman at hotmail.com  Sun Nov  6 08:38:07 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Sun, 6 Nov 2016 13:38:07 +0000
Subject: [keycloak-user] Creation UI for new authentication schema
 configuration.
In-Reply-To: <CAK-7U1gZwDyeV2q0inAihKnor9HSGeCzJTDBzBpGEwEeh6htvw@mail.gmail.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
	<CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
	<AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<CAK-7U1gZwDyeV2q0inAihKnor9HSGeCzJTDBzBpGEwEeh6htvw@mail.gmail.com>
Message-ID: <AM5PR0701MB25301A461545D524D7C0AB7FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>

I still need a help.
The example for the secret question is good but I need other example.
I am in the middle of POC that will help us to understand if we can use Keycloak in our production.
It contains a lot of aspects (creating of other authenticators, creating of our own UI over Keycloak etc.).

In this thread I just want to create the authenticator that will take a user name and a user password and will authenticate against a Radius server.
If it will fails, the default UsernamePasswordForm authenticator should handle the authentication.

I will really appreciate if somebody will help me with the following questions.


  1.  Do you have the example that shows how to create simple user name and password authenticator?
  2.  How can I configure the authentication provider via REST API?
Will be generated configuration Rest API automatically?

  3.  I have created the simple authenticator that overrides UsernamePasswordForm.
It appears in UI.
Unfortunately the request does not come to my implementation.
What I have missed?
I have opened bug and attached sources: https://issues.jboss.org/browse/KEYCLOAK-3867

Best regards,
   Michael




________________________________
From: Thomas Darimont <thomas.darimont at googlemail.com>
Sent: Sunday, November 6, 2016 11:42 AM
To: Michael Furman
Cc: Stian Thorgersen; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Hello Michael,

if you want to create a custom browser flow by copying the original browser flow you need to bind your custom browser flow
on the "Authentication -> Bindings" tab where you link your custom browser flow to be used as "the" browser flow.

Cheers,
Thomas

2016-11-06 10:33 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
Hi Stian,
I was able to add the authentication provider in 2.3.0 but only to the copied flow.

  1.  Why I can not add the execution to the Browser flow?
If I copy the browser flow (and call it Browser2 flow) what flow will be default for the browser authentication?
How can I configure the new Browser2 flow will be default for the browser authentications?
  2.  Will be generated Rest API for the configuration of the authentication provider?
How can I configure via REST API.


Best regards,
   Michael



________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Sent: Friday, November 4, 2016 7:52 AM
To: Stian Thorgersen
Cc: Michael Furman; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken

On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>> wrote:
I don't know what you mean by it is not recognized by Keycloak. Did you follow the steps in the example to register it? See https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md

On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:

Hi,

Unfortunately I can not deploy the example authentication provider to Keycloak


Who can help?


I have compiled authenticator-required-action-example from the examples.
I copied the provider jar into the ?standalone/configuration/providers? directory according to the document:
https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html

Unfortunately Keycloak does not recognize the provider.
Than I have copied it to the ?providers? folder under the root Keycloak folder.
Also without success .


I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856


Best regards,

   Michael



________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
Sent: Tuesday, November 1, 2016 11:08 AM

To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.

On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
Thanks,
Where I will see the generated UI?
On the authentication page?
http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
Also, can I add / update the authenticator configuration via REST API?
http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
Thank you in advance for your help.
Best regards,
   Michael


________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
Sent: Monday, October 31, 2016 8:00 AM

To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Configuration UI is generated based on what's returned by the getConfigProperties method

On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
Thanks Stian,
I will happy for the additional clarifications.
I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
I think that the following is relevant:

The next few methods define how the Authenticator can be configured.
?
The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.

But according to my understanding the configuration should appear in the Authenticator configuration UI.
Therefore, how should I create the UI?

Additional question: will the new Authenticator appear in Authentication Flows:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
Thank you in advance for your help.
Best regards,
   Michael


________________________________
From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
Sent: Thursday, October 27, 2016 9:57 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.

On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
Hi all,
I want to add support for the new authentication schema.
How can I add UI for new authentication schema configuration?
For example, I want to add the TACACS authentication schema.
Therefore I need to configure the TACACS server IP and the secret.
May be I have missed but I can not find it here:
https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html

Thank you in advance for your help.
Best regards,
   Michael

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
https://lists.jboss.org/mailman/listinfo/keycloak-user





_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Sun Nov  6 10:33:41 2016
From: bburke at redhat.com (Bill Burke)
Date: Sun, 6 Nov 2016 10:33:41 -0500
Subject: [keycloak-user] Creation UI for new authentication schema
 configuration.
In-Reply-To: <AM5PR0701MB25301A461545D524D7C0AB7FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
	<CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
	<AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAK-7U1gZwDyeV2q0inAihKnor9HSGeCzJTDBzBpGEwEeh6htvw@mail.gmail.com>
	<AM5PR0701MB25301A461545D524D7C0AB7FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <9f82bf70-ff9e-2216-16f4-d9cbd1346df1@redhat.com>

Where is the user going to live?  In Keycloak's DB?  Or does Radius 
store and provide info about the user?


On 11/6/16 8:38 AM, Michael Furman wrote:
> I still need a help.
> The example for the secret question is good but I need other example.
> I am in the middle of POC that will help us to understand if we can use Keycloak in our production.
> It contains a lot of aspects (creating of other authenticators, creating of our own UI over Keycloak etc.).
>
> In this thread I just want to create the authenticator that will take a user name and a user password and will authenticate against a Radius server.
> If it will fails, the default UsernamePasswordForm authenticator should handle the authentication.
>
> I will really appreciate if somebody will help me with the following questions.
>
>
>    1.  Do you have the example that shows how to create simple user name and password authenticator?
>    2.  How can I configure the authentication provider via REST API?
> Will be generated configuration Rest API automatically?
>
>    3.  I have created the simple authenticator that overrides UsernamePasswordForm.
> It appears in UI.
> Unfortunately the request does not come to my implementation.
> What I have missed?
> I have opened bug and attached sources: https://issues.jboss.org/browse/KEYCLOAK-3867
>
> Best regards,
>     Michael
>
>
>
>
> ________________________________
> From: Thomas Darimont <thomas.darimont at googlemail.com>
> Sent: Sunday, November 6, 2016 11:42 AM
> To: Michael Furman
> Cc: Stian Thorgersen; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Hello Michael,
>
> if you want to create a custom browser flow by copying the original browser flow you need to bind your custom browser flow
> on the "Authentication -> Bindings" tab where you link your custom browser flow to be used as "the" browser flow.
>
> Cheers,
> Thomas
>
> 2016-11-06 10:33 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
> Hi Stian,
> I was able to add the authentication provider in 2.3.0 but only to the copied flow.
>
>    1.  Why I can not add the execution to the Browser flow?
> If I copy the browser flow (and call it Browser2 flow) what flow will be default for the browser authentication?
> How can I configure the new Browser2 flow will be default for the browser authentications?
>    2.  Will be generated Rest API for the configuration of the authentication provider?
> How can I configure via REST API.
>
>
> Best regards,
>     Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Friday, November 4, 2016 7:52 AM
> To: Stian Thorgersen
> Cc: Michael Furman; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken
>
> On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>> wrote:
> I don't know what you mean by it is not recognized by Keycloak. Did you follow the steps in the example to register it? See https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md
>
> On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
>
> Hi,
>
> Unfortunately I can not deploy the example authentication provider to Keycloak
>
>
> Who can help?
>
>
> I have compiled authenticator-required-action-example from the examples.
> I copied the provider jar into the ?standalone/configuration/providers? directory according to the document:
> https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html
>
> Unfortunately Keycloak does not recognize the provider.
> Than I have copied it to the ?providers? folder under the root Keycloak folder.
> Also without success .
>
>
> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>
>
> Best regards,
>
>     Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Tuesday, November 1, 2016 11:08 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.
>
> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks,
> Where I will see the generated UI?
> On the authentication page?
> http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
> Also, can I add / update the authenticator configuration via REST API?
> http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
> Thank you in advance for your help.
> Best regards,
>     Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Monday, October 31, 2016 8:00 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Configuration UI is generated based on what's returned by the getConfigProperties method
>
> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks Stian,
> I will happy for the additional clarifications.
> I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
> I think that the following is relevant:
>
> The next few methods define how the Authenticator can be configured.
> ?
> The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.
>
> But according to my understanding the configuration should appear in the Authenticator configuration UI.
> Therefore, how should I create the UI?
>
> Additional question: will the new Authenticator appear in Authentication Flows:
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
> Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
> Thank you in advance for your help.
> Best regards,
>     Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Thursday, October 27, 2016 9:57 AM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.
>
> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Hi all,
> I want to add support for the new authentication schema.
> How can I add UI for new authentication schema configuration?
> For example, I want to add the TACACS authentication schema.
> Therefore I need to configure the TACACS server IP and the secret.
> May be I have missed but I can not find it here:
> https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
>
> Thank you in advance for your help.
> Best regards,
>     Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From michael_furman at hotmail.com  Sun Nov  6 10:42:34 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Sun, 6 Nov 2016 15:42:34 +0000
Subject: [keycloak-user] Can not authenticate user using Spring Security
	Adapter
Message-ID: <AM5PR0701MB2530A40B2FF3865E4BC2BA93F4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi all,
Please help me with the following issue.
I try to configure Spring Security Adapter (version 2.3.0.Final):
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html

I suppose that Keycloak uses the static client registration since when I tries to connect without the client configuration in Keycloak I get the following:
16:15:43,174 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=st_1, userId=null, ipAddress=192.168.111.33, error=client_not_found

Please note that I was able to connect to Keycloak using non Keycloak OIDC client using the following configuration:
a) clientId
b) clientSecret
c) Scopes
d) redirectUris

Therefore I have configured the client at Keycloak using the same information.
I am not sure what is "Valid Redirect URIs" and I have configured the following value:
http://192.168.110.2:8081/app/sso/login
Now client redirects to Keycloak IDP using this URL
http://192.168.110.2:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=10%2Fc0079a4b-e896-4400-9357-77fdacde9a56&login=true&scope=openid

I authenticate the user and IDP returns URL back to the client using this URL:
http://192.168.110.2:8081/app/sso/login?state=14%2F9a4376fa-06e2-4188-a616-a182363dab3a&code=JzKXHOm7jRp5pkfT6GT6rRPZ5HOcZyGEB5uA-fjrk1I.7d91a145-76a5-4bc4-960f-f4a67f242fba

Unfortunately then I have the endless loop.
While I debug KeycloakAuthenticationProcessingFilter I see that AuthOutcome get value NOT_ATTEMPTED and it cause additional redirect to IDP.
What I missed?
I have opened the bug https://issues.jboss.org/browse/KEYCLOAK-3868 with attached json file and Spring Security configuration


Best regards,

   Michael


From michael_furman at hotmail.com  Sun Nov  6 11:14:22 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Sun, 6 Nov 2016 16:14:22 +0000
Subject: [keycloak-user] Creation UI for new authentication schema
 configuration.
In-Reply-To: <9f82bf70-ff9e-2216-16f4-d9cbd1346df1@redhat.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
	<CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
	<AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAK-7U1gZwDyeV2q0inAihKnor9HSGeCzJTDBzBpGEwEeh6htvw@mail.gmail.com>
	<AM5PR0701MB25301A461545D524D7C0AB7FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<9f82bf70-ff9e-2216-16f4-d9cbd1346df1@redhat.com>
Message-ID: <AM5PR0701MB25304F552541949B21743A52F4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi Bill,


Please note that RADIUS can provide the authentication service only and can not provide the user details (first name, last name, email).

Please remind that I want to configure the authentication flow as the following:

Cookie - ALTERNATIVE

Radius - ALTERNATIVE

Forms Subflow - ALTERNATIVE



Regarding your question I can see the following use cases.


    1) User does not exists in the Keycloak's DB but exists in the RADIUS server. In this case the authentication against the RADIUS server will success and the user will be authenticated.
    The user information will contain only the user name.
    2) User exists in the Keycloak's DB and exists in the RADIUS server. In this case the authentication against the RADIUS server will success and the user will populate the user information from the Keycloak's DB.
    The user information will contain the user name, first name, last name, email and other information
    3) User exists in the Keycloak's DB but does not exist in the RADIUS server. In this case the authentication against the Keycloak's DB will success and the user will populate the user information from the Keycloak's DB.
    The user information will contain the user name, first name, last name, email and other information.
    4) User does not exist in the Keycloak's DB and does not exist in the RADIUS server. In this case the authentication will fail.



Is it possible to support it?


________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Bill Burke <bburke at redhat.com>
Sent: Sunday, November 6, 2016 5:33 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Where is the user going to live?  In Keycloak's DB?  Or does Radius
store and provide info about the user?


On 11/6/16 8:38 AM, Michael Furman wrote:
> I still need a help.
> The example for the secret question is good but I need other example.
> I am in the middle of POC that will help us to understand if we can use Keycloak in our production.
> It contains a lot of aspects (creating of other authenticators, creating of our own UI over Keycloak etc.).
>
> In this thread I just want to create the authenticator that will take a user name and a user password and will authenticate against a Radius server.
> If it will fails, the default UsernamePasswordForm authenticator should handle the authentication.
>
> I will really appreciate if somebody will help me with the following questions.
>
>
>    1.  Do you have the example that shows how to create simple user name and password authenticator?
>    2.  How can I configure the authentication provider via REST API?
> Will be generated configuration Rest API automatically?
>
>    3.  I have created the simple authenticator that overrides UsernamePasswordForm.
> It appears in UI.
> Unfortunately the request does not come to my implementation.
> What I have missed?
> I have opened bug and attached sources: https://issues.jboss.org/browse/KEYCLOAK-3867
>
> Best regards,
>     Michael
>
>
>
>
> ________________________________
> From: Thomas Darimont <thomas.darimont at googlemail.com>
> Sent: Sunday, November 6, 2016 11:42 AM
> To: Michael Furman
> Cc: Stian Thorgersen; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Hello Michael,
>
> if you want to create a custom browser flow by copying the original browser flow you need to bind your custom browser flow
> on the "Authentication -> Bindings" tab where you link your custom browser flow to be used as "the" browser flow.
>
> Cheers,
> Thomas
>
> 2016-11-06 10:33 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
> Hi Stian,
> I was able to add the authentication provider in 2.3.0 but only to the copied flow.
>
>    1.  Why I can not add the execution to the Browser flow?
> If I copy the browser flow (and call it Browser2 flow) what flow will be default for the browser authentication?
> How can I configure the new Browser2 flow will be default for the browser authentications?
>    2.  Will be generated Rest API for the configuration of the authentication provider?
> How can I configure via REST API.
>
>
> Best regards,
>     Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Friday, November 4, 2016 7:52 AM
> To: Stian Thorgersen
> Cc: Michael Furman; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken
>
> On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>> wrote:
> I don't know what you mean by it is not recognized by Keycloak. Did you follow the steps in the example to register it? See https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>

keycloak/keycloak<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services


>
> On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
>
> Hi,
>
> Unfortunately I can not deploy the example authentication provider to Keycloak
>
>
> Who can help?
>
>
> I have compiled authenticator-required-action-example from the examples.
> I copied the provider jar into the ?standalone/configuration/providers? directory according to the document:
> https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html
>
> Unfortunately Keycloak does not recognize the provider.
> Than I have copied it to the ?providers? folder under the root Keycloak folder.
> Also without success .
>
>
> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>
>
> Best regards,
>
>     Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Tuesday, November 1, 2016 11:08 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.
>
> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks,
> Where I will see the generated UI?
> On the authentication page?
> http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
> Also, can I add / update the authenticator configuration via REST API?
> http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
> Thank you in advance for your help.
> Best regards,
>     Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Monday, October 31, 2016 8:00 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Configuration UI is generated based on what's returned by the getConfigProperties method
>
> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks Stian,
> I will happy for the additional clarifications.
> I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


> I think that the following is relevant:
>
> The next few methods define how the Authenticator can be configured.
> ?
> The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.
>
> But according to my understanding the configuration should appear in the Authenticator configuration UI.
> Therefore, how should I create the UI?
>
> Additional question: will the new Authenticator appear in Authentication Flows:
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
Authentication Flows | Server Administration Guide<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html>
keycloak.gitbooks.io
An authentication flow is a container for all authentications, screens, and actions that must happen during login, registration, and other Keycloak workflows.


> Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
> Thank you in advance for your help.
> Best regards,
>     Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Thursday, October 27, 2016 9:57 AM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.
>
> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Hi all,
> I want to add support for the new authentication schema.
> How can I add UI for new authentication schema configuration?
> For example, I want to add the TACACS authentication schema.
> Therefore I need to configure the TACACS server IP and the secret.
> May be I have missed but I can not find it here:
> https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


>
> Thank you in advance for your help.
> Best regards,
>     Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



From sthorger at redhat.com  Mon Nov  7 00:24:54 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Nov 2016 06:24:54 +0100
Subject: [keycloak-user] Losing some sessions during clustering
In-Reply-To: <CAK-7U1gS1OZPJg-4sj9=qYrEgLKPxW6znJ_6_zNmzZrnaAdmUw@mail.gmail.com>
References: <CALr83iB=sH+UH0uY-QKJrnpdARA2Q9LMLpRZiN2By-KLNjbNaQ@mail.gmail.com>
	<CABk1SXk_Wnn=QLmLtjCmMS45L_bj+z=g92XHrH2AVm8fxOCs-w@mail.gmail.com>
	<CALr83iBCBRPtMNVMsu+HrAkfgnN8uz0cPUJa8Y5W=3N8WOfMTA@mail.gmail.com>
	<CALr83iAMe7hAwngM03zc8SzKnh3qfJAwNxzwSTqrkbiyBSttrQ@mail.gmail.com>
	<CAJgngAe_ankuOL9iqtdizTA53n=EZqdGe41efLHsC8LeT0ftZw@mail.gmail.com>
	<CAK-7U1gS1OZPJg-4sj9=qYrEgLKPxW6znJ_6_zNmzZrnaAdmUw@mail.gmail.com>
Message-ID: <CAJgngAeXFOKOn=36oc=-0iwh3-6j3VRm2FVLnvmRQZRjWZ7eBg@mail.gmail.com>

It's not replicated by default as it's a distributed cache.

Health check would need to know what nodes are supposed to be in the
cluster and check that they are there. Can't see "checking if a session has
been replicated" as a solution.

On 4 November 2016 at 07:14, Thomas Darimont <thomas.darimont at googlemail.com
> wrote:

> Is there a way in Keycloak to detect if Session state has been retrieved
> by a Keycloak node?
> Perhaps Keycloak could listen for the first replikation event and change a
> flag based on that...
>
> This could then be used by a health-check which could be accessed via a
> load-balancer like ha-proxy or nginx.
>
> Cheers,
> Thomas
>
> Am 04.11.2016 6:59 vorm. schrieb "Stian Thorgersen" <sthorger at redhat.com>:
>
>> Do you wait until the nodes are fully started or just 200 from admin
>> console? You need to wait for Infinispan to successfully transfer the
>> state.
>>
>> Try giving it at least a couple min before killing nodes.
>>
>> Have you checked that clustering is working properly and that nodes see
>> each other?
>>
>> We don't support Postgres for session storage, so not sure how you are
>> planning to switch to that.
>>
>> On 3 November 2016 at 22:23, Chris Hairfield <chairfield at gmail.com>
>> wrote:
>>
>> > No dice, sadly. Here's our latest test:
>> >
>> > 1. Set owners to 2 for all 3 caches
>> > 2. Start 2 nodes
>> > 3. Perform a rolling release
>> >     a. Start node 3
>> >     b. Wait for node 3 to respond 200 on admin console
>> >     c. Kill node 1
>> >     d. Start node 4
>> >     e. Wait for node 4 to respond 200 on admin console
>> >     f.Kill node 2
>> >
>> > We lost sessions, even though there were always at least 2 nodes fully
>> > online. *(To be explicit, this was judged by signing into the admin
>> > console. Is this a fair test? The # of sessions reported by Keycloak
>> stayed
>> > the same...)*
>> >
>> > We're considering switching over from Infinispan to Postgres for session
>> > storage, at least to see if it works. Still, any additional tips or
>> > thoughts would be great.
>> >
>> > Thanks so far,
>> > Chris
>> >
>> > On Thu, Nov 3, 2016 at 11:36 AM Chris Hairfield <chairfield at gmail.com>
>> > wrote:
>> >
>> > > Many thanks, John. This seems very likely. If there's no response from
>> > our
>> > > part, you may assume it's fixed.
>> > >
>> > > Cheers,
>> > > Chris
>> > >
>> > > On Thu, Nov 3, 2016 at 11:26 AM John Bartko <
>> > john.bartko at drillinginfo.com>
>> > > wrote:
>> > >
>> > > It sounds like sessions distributed-cache is not being replicated.
>> > >
>> > > From the Install/Config documentation on cache replication
>> > > <https://keycloak.gitbooks.io/server-installation-and-
>> > configuration/content/v/2.3/topics/cache/replication.html>:
>> > > "By default, Keycloak only specifies one owner for data. So if that
>> one
>> > > node goes down that data is lost. This usually means that users will
>> be
>> > > logged out and will have to login again."
>> > >
>> > > jboss-cli snippet:
>> > > /subsystem=infinispan/cache-container=keycloak/
>> > distributed-cache=sessions:write-attribute(name=owners,
>> > > value=2)
>> > >
>> > > Hope that helps,
>> > > -John Bartko
>> > >
>> > > On Thu, Nov 3, 2016 at 12:08 PM, Chris Hairfield <
>> chairfield at gmail.com>
>> > > wrote:
>> > >
>> > > Hello Keycloak users,
>> > >
>> > > We're seeing strange behavior with the session handling when starting
>> up
>> > a
>> > > new node. Keycloak doesn't retain all sessions. Here's our experiment:
>> > >
>> > >    1. start with 1 node containing a few dozen sessions
>> > >    2. start node 2 (nodes clustered via JGroups Ping table +
>> infinispan)
>> > >    3. wait for 10 minutes
>> > >    4. stop node 1
>> > >
>> > > End result: *some* of the clients connected are forced to log back in.
>> > Most
>> > >
>> > >
>> > > sessions remain.
>> > >
>> > > We're still investigating, so I cannot infer beyond this point at the
>> > > moment. I'm simply curious whether anyone knows the following:
>> > >
>> > >    - are *all* sessions meant to be migrated to new nodes?
>> > >    - how long does it take to migrate sessions?
>> > >    - does a new node wait until sessions are migrated before it
>> enables
>> > the
>> > >    admin interface?
>> > >    - is there any logic to prune sessions on clustering?
>> > >
>> > >
>> > >
>> > > Any thoughts would be greatly appreciated.
>> > >
>> > > Thanks,
>> > > Chris
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>> > >
>> > >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From sthorger at redhat.com  Mon Nov  7 00:46:50 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Nov 2016 06:46:50 +0100
Subject: [keycloak-user] Not authorsing access to app behind Keycloak
 security proxy
In-Reply-To: <4790ec970c79a6f79ce53049a1a2e5b2@dorsetnetworks.com>
References: <729a3e21e420eb8d2bb61393fa58a702@dorsetnetworks.com>
	<4790ec970c79a6f79ce53049a1a2e5b2@dorsetnetworks.com>
Message-ID: <CAJgngAcnMhoCFkSSgcBSmFnoK2XCGd4VBqN5axqnd5ZfpqYpqA@mail.gmail.com>

This looks like the proxy can't reach the Keycloak server for some reason.
Is the auth-server-url correct? Is ssl setup working (maybe try with plain
http just to see if that's the issue).

On 1 November 2016 at 18:49, Guy Bowdler <guybowdler at dorsetnetworks.com>
wrote:

> Hi all,
>
> I have an app that isn't keycloak aware and have put the keycloak
> security proxy in front of it however even with the most basic settings
> I cannot succesfully authenticate to the page - it returns a 403 access
> denies error and the keycloak proxy outputs this:
>
> org.keycloak.adapters.OAuthRequestAuthenticator resolveCode
> ERROR: failed to turn code into token
> java.net.ConnectException: Connection refused (Connection refused)
>
> Must admit I'm stumped, I thought with this config, any user with an
> account that successfully logs in would get the app.  I'm not using
> roles or anything complicated (because I don't understand it yet) and
> have been round the houses without success so any advice would be
> greatly appreciated!
>
> thanks,
>
> Guy
>
> ----------------------------------------------
>
> Here's some info about the environment:
>
> ----------------------------------------------
>
> Both keycloak and the application are reverse proxied via NGINX, but
> this works fine when I change the proxy config from "authenticate":true
> to "permit": true.
>
> DMZ:
>
> 2 X NGINX SERVERS (not clustered) one proxying keycloak and the other
> proxyying the application    <-- Proper headers set
>
> ----------------------------------------------
>
> TRUST:
>
> KEYCLOAK SERVER - Wildfly configured with
>
> _<http-listener name="default" socket-binding="http"
> redirect-socket="PROXY-HTTPS" PROXY-ADDRESS-FORWARDING="TRUE"/> _and
>
> _<socket-binding name="proxy-https" port="443"/>   _
>
> APPLICATION SERVER - Keycloak Security Proxy
>
> 1 {
>   2     "target-url": "http://1.2.3.4:80",
>   3     "bind-address": "5.6.7.8",
>   4     "http-port": "80",
>   5     "https-port": "443",
>   6     "keystore": "/opt/keycloak-proxy/KeyStore.jks",
>   7     "keystore-password": "password",
>   8     "key-password": "password",
>   9     "applications": [
>  10         {
>  11         "base-path": "/",
>  12         "error-page": "/error/denied.html",
>  13             "adapter-config": {
>  14                 "realm": "realmname",
>  15                 "resource": "clientname",
>  16                 "realm-public-key": "publickey",
>  17                 "auth-server-url":
> "https://keycloak.tiberius.local/auth",
>  18                 "ssl-required": "external",
>  19                 "credentials": {
>  20                     "secret": "secret"
>  21                 }
>  22             }
>  23             ,
>  24             "constraints": [
>  25                 {
>  26                     "pattern": "/*",
>  27                     "authenticate": "true"
>  28                 }
>  29             ]
>  30
>  31         }
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Mon Nov  7 01:12:00 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Nov 2016 07:12:00 +0100
Subject: [keycloak-user] Having difficulty logging out in a 2 client
	scenario
In-Reply-To: <E7F4D75C-D018-400D-B7B8-8D7921E700F7@edlogics.com>
References: <692F2625-FAA8-4931-B0C2-50889222582C@edlogics.com>
	<CAJgngAdtji=S+4CzU4TbtkN1rxVTJhdKhcmgNPchtzwH4iAveg@mail.gmail.com>
	<D76E8015-8B7C-401B-A698-0DE21E7CA08A@edlogics.com>
	<E7F4D75C-D018-400D-B7B8-8D7921E700F7@edlogics.com>
Message-ID: <CAJgngAeW_+cUD65P-TngJ=84v8=Tz=2WU9DT9jhRw18o3emCHA@mail.gmail.com>

You should have two clients configured. One client for the js app which is
public type (src/main/webapp/keycloak.json) and another one for the
services that are bearer-only (src/main/webapp/WEB-INF/keycloak.json).

On 4 November 2016 at 22:14, Chris Savory <chris.savory at edlogics.com> wrote:

> I have a couple of questions.
>
>        1. Does it make sense to create a RefreshableKeycloakSecurityContext
> with a null refreshToken?  Seems like this defeats the purpose of that
> object since it is not refreshable in that state.
>        2. I?m looking at SpringSecurityRequestAuthenticator/RequestAuthenticator
> and it looks like an OAuth token is treated differently than a Bearer
> token.  OAuth Tokens are validated back against the keycloak server and
> Bearer tokens are not.  Is there a reason for this?   I thought this would
> be one of the tenants of SSO where I could take a Bearer token and be
> logged in on another client.  But that doesn?t seem possible if that token
> expires and it can?t be refreshed.
>        3. Is it possible for me to:
>        a. extend the Keycloak Spring Security adapter to detect a token
> w/o a refreshToken
>        b. then go to the keycloak server and get one
>        c. save the updated RefreshableKeycloakSecurityContext back to the
> Spring Security Context.
>         4. I?m curious why does SpringSecurityRequestAuthenticator.completeBearerAuthentication
> add the KeycloakAuthenticationToken to the SecurityContextHolder, but the
> SpringSecurityRequestAuthenticator.completeOAuthAuthentication does not?
> The reason I ask is essentially by adding to the holder, it?s going to be
> added to the session by SpringSecurity in Spring?s
> SecurityContextPersistenceFilter, which means that Bearer token will
> persist across requests.  Is that the intention?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
>
> On 11/4/16, 1:16 AM, "Chris Savory" <chris.savory at edlogics.com> wrote:
>
>     Stian,
>
>     Currently it is both services and a web app.  It?s a monolith in its
> current state.  We have plans to break apart the API services at some
> point, but that is in the future.
>
>     --
>     Christopher Savory
>     Software Engineer | EdLogics
>
>
>
>
>     From: Stian Thorgersen <sthorger at redhat.com>
>     Reply-To: "stian at redhat.com" <stian at redhat.com>
>     Date: Friday, November 4, 2016 at 12:18 AM
>     To: Chris Savory <chris.savory at edlogics.com>
>     Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>,
> Danilo Bonilla <danilo.bonilla at edlogics.com>, David Hartfield <
> david.hartfield at edlogics.com>, Ali Elhajj <ali.elhajj at edlogics.com>
>     Subject: Re: [keycloak-user] Having difficulty logging out in a 2
> client scenario
>
>     Sounds like the Spring Security Adapter is services and not a web app?
> If so it shouldn't deal with logins and logouts at all. It should be
> configured as a bearer-only client.
>
>     On 1 November 2016 at 00:11, Chris Savory <chris.savory at edlogics.com>
> wrote:
>     Our application has 2 clients:
>     1. A Confidential Client that uses the Spring Security Adapter
>     2. A Public Client that uses the JavaScript Adapter for an Angular SPA
> app.
>
>     Everything between the two is working fine until I try to logout under
> certain conditions.
>
>     Logout works fine if I first: deep link into a protected page in my
> app.  The SpringSecurity adapter for client# 1 redirects me to Keycloak.
> Keycloack then logs me in and sends me back to my app where my token was
> issued for client #1.  If I logout under this scenario via the
> SpringSecurity adapter it works fine.
>
>     In Scenario #2 I first hit an Angular page in my app.  Then I log in
> from the JS Adapter in client #2.  Then through a Rest call to my Spring
> App (which a Bearer token is passed) a java session is established on
> Tomcat.  When I put some break points in the Keycloak Adapter classes I can
> see that the KeycloakToken only contains the token in this scenario, but
> not the refresh token.  I can also see that the token was issued for client
> #2.  When I try to logout, the adapter sends a request to Keycloak with an
> empty refresh_token and keycloak returns a 400 error, thus nullifying the
> logout.
>
>     I also tried another scenario where use the JS Adapter get the logout
> URL and logout directly to Keycloak via ?window.location =
> keycloak.createLogoutUrl({ redirectUri: ?/site-url?) }).  This actually
> logs out the user from all clients (which is what I want), but the problem
> here is on the next request to the Spring app I think there is still an
> HttpSession alive and I?m running into the check in
> SpringSecurityTokenStore.saveAccountInfo where it throws an exception
> because there is already an (old) token inside the SecurityContextHolder.
>
>     Any advice on how to proceed from either of these two scenarios?
>
>     --
>     Christopher Savory
>     Software Engineer | EdLogics
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>
>
>
>

From sthorger at redhat.com  Mon Nov  7 01:15:46 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 7 Nov 2016 07:15:46 +0100
Subject: [keycloak-user] Keycloak with EZproxy
In-Reply-To: <CAN_wU+Ysrf+2MxJCKxsxU1t1uS6Ex4rgsZeQ1=_KydwKCsCZow@mail.gmail.com>
References: <DM5PR08MB2428E4C9797AB3D908A6C2A9B8E20@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAdhkxKf_wfCE2ToBBx9vXts9Vg_XzToX3SkwZTtohdDJw@mail.gmail.com>
	<DM5PR08MB2428FF5C2B55A7D83A4B431CB8C80@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAcjWJiyPSftd+npttdUiKNqxWsYpWh8_kypnAY7iNhwNQ@mail.gmail.com>
	<CAN_wU+Ysrf+2MxJCKxsxU1t1uS6Ex4rgsZeQ1=_KydwKCsCZow@mail.gmail.com>
Message-ID: <CAJgngAe6ZcgeVksRJEFuooaPojV4P=dLedCfprK2y4tShP9pjw@mail.gmail.com>

First guess is that EZProxy is not signing the login assertion and the
client is configured in KC admin console to require signatures. Try turning
"Client Signature Required" off for the client in the Keycloak admin
console.

On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:

> Here is the trace output of this problem:
> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>
> This log includes the startup of keycloak and the login attempt.  The
> login fails and the message "invalid requester" is displayed in the
> browser..
>
> The trace shows the "Invalid signature on document" message.
> Line 5211 says "Cannot find Signature element".
>
> Any idea what may cause this?
>
> Rick
>
> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> "XML External Entity switches are not supported.  You may get XML
>> injection
>> vulnerabilities." is just a warning and shouldn't have anything to do with
>> the issue.
>>
>> Try enabling trace logging for org.keycloak and see if you get any more
>> details.
>>
>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>
>> > Thanks.
>> >
>> >
>> >
>> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
>> > following log entries on the Keycloak server:
>> >
>> >
>> >
>> > 2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default
>> task-1)
>> > XML External Entity switches are not supported.  You may get XML
>> injection
>> > vulnerabilities.
>> >
>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
>> > (default task-1) request validation failed:
>> org.keycloak.common.VerificationException:
>> > Invalid signature on document
>> >
>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>> >
>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>> >
>> >                 at org.keycloak.protocol.saml.SamlService$
>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>> >
>> >                 at org.keycloak.protocol.saml.Sam
>> lService$BindingProtocol.
>> > handleSamlRequest(SamlService.java:186)
>> >
>> >                 at org.keycloak.protocol.saml.SamlService$
>> > PostBindingProtocol.execute(SamlService.java:428)
>> >
>> >                 at org.keycloak.protocol.saml.SamlService.postBinding(
>> > SamlService.java:504)
>> >
>> >                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> > Method)
>> >
>> >                 at sun.reflect.NativeMethodAccessorImpl.invoke(
>> > NativeMethodAccessorImpl.java:62)
>> >
>> >                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> > DelegatingMethodAccessorImpl.java:43)
>> >
>> >                 at java.lang.reflect.Method.invoke(Method.java:498)
>> >
>> >                 at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> > MethodInjectorImpl.java:139)
>> >
>> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.
>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>> >
>> >                 at org.jboss.resteasy.core.Resour
>> ceMethodInvoker.invoke(
>> > ResourceMethodInvoker.java:249)
>> >
>> >                 at org.jboss.resteasy.core.ResourceLocatorInvoker.
>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> >
>> >                 at org.jboss.resteasy.core.Resour
>> ceLocatorInvoker.invoke(
>> > ResourceLocatorInvoker.java:101)
>> >
>> >                 at org.jboss.resteasy.core.Synchr
>> onousDispatcher.invoke(
>> > SynchronousDispatcher.java:395)
>> >
>> >                 at org.jboss.resteasy.core.Synchr
>> onousDispatcher.invoke(
>> > SynchronousDispatcher.java:202)
>> >
>> >                 at org.jboss.resteasy.plugins.server.servlet.
>> > ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>> >
>> >                 at org.jboss.resteasy.plugins.server.servlet.
>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> >
>> >                 at org.jboss.resteasy.plugins.server.servlet.
>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> >
>> >                 at javax.servlet.http.HttpServlet.service(
>> > HttpServlet.java:790)
>> >
>> >                 at io.undertow.servlet.handlers.
>> > ServletHandler.handleRequest(ServletHandler.java:85)
>> >
>> >                 at io.undertow.servlet.handlers.
>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> >
>> >                 at org.keycloak.services.filters.
>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>> > java:90)
>> >
>> >                 at io.undertow.servlet.core.ManagedFilter.doFilter(
>> > ManagedFilter.java:60)
>> >
>> >                 at io.undertow.servlet.handlers.
>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> >
>> >                 at io.undertow.servlet.handlers.
>> > FilterHandler.handleRequest(FilterHandler.java:84)
>> >
>> >                 at io.undertow.servlet.handlers.security.
>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>> > java:62)
>> >
>> >                 at io.undertow.servlet.handlers.S
>> ervletDispatchingHandler.
>> > handleRequest(ServletDispatchingHandler.java:36)
>> >
>> >                 at org.wildfly.extension.undertow.security.
>> > SecurityContextAssociationHandler.handleRequest(
>> > SecurityContextAssociationHandler.java:78)
>> >
>> >                 at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> >                 at io.undertow.servlet.handlers.security.
>> > SSLInformationAssociationHandler.handleRequest(
>> > SSLInformationAssociationHandler.java:131)
>> >
>> >                 at io.undertow.servlet.handlers.security.
>> > ServletAuthenticationCallHandler.handleRequest(
>> > ServletAuthenticationCallHandler.java:57)
>> >
>> >                 at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> >                 at io.undertow.security.handlers.
>> > AbstractConfidentialityHandler.handleRequest(
>> > AbstractConfidentialityHandler.java:46)
>> >
>> >                 at io.undertow.servlet.handlers.security.
>> > ServletConfidentialityConstraintHandler.handleRequest(
>> > ServletConfidentialityConstraintHandler.java:64)
>> >
>> >                 at io.undertow.security.handlers.
>> > AuthenticationMechanismsHandler.handleRequest(
>> > AuthenticationMechanismsHandler.java:60)
>> >
>> >                 at io.undertow.servlet.handlers.security.
>> > CachedAuthenticatedSessionHandler.handleRequest(
>> > CachedAuthenticatedSessionHandler.java:77)
>> >
>> >                 at io.undertow.security.handlers.
>> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
>> > java:50)
>> >
>> >                 at io.undertow.security.handlers.
>> > AbstractSecurityContextAssociationHandler.handleRequest(
>> > AbstractSecurityContextAssociationHandler.java:43)
>> >
>> >                 at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> >                 at org.wildfly.extension.undertow.security.jacc.
>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> >
>> >                 at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> >                 at io.undertow.server.handlers.PredicateHandler.
>> > handleRequest(PredicateHandler.java:43)
>> >
>> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
>> > handleFirstRequest(ServletInitialHandler.java:284)
>> >
>> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
>> > dispatchRequest(ServletInitialHandler.java:263)
>> >
>> >                 at io.undertow.servlet.handlers.
>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> >
>> >                 at io.undertow.servlet.handlers.S
>> ervletInitialHandler$1.
>> > handleRequest(ServletInitialHandler.java:174)
>> >
>> >                 at io.undertow.server.Connectors.
>> > executeRootHandler(Connectors.java:202)
>> >
>> >                 at io.undertow.server.HttpServerExchange$1.run(
>> > HttpServerExchange.java:793)
>> >
>> >                 at java.util.concurrent.ThreadPoolExecutor.runWorker(
>> > ThreadPoolExecutor.java:1142)
>> >
>> >                 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> > ThreadPoolExecutor.java:617)
>> >
>> >                 at java.lang.Thread.run(Thread.java:745)
>> >
>> >
>> >
>> > 2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1)
>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>> > ipAddress=192.168.33.51, error=invalid_signature
>> >
>> >
>> >
>> > I have verified that the keys on the client match the server.  Does the
>> > XML External Entities have something to do with this?
>> >
>> >
>> >
>> > Any help is appreciated.
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Bill
>> >
>> >
>> >
>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>> > *To:* Bill Kuntz
>> > *Cc:* keycloak-user at lists.jboss.org
>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>> >
>> >
>> >
>> > Not sure what they mean about "authentication sequence identical to a
>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>> configurable
>> > so it should be possible to adapt the SAML configuration for the client
>> to
>> > make it work with EZProxy.
>> >
>> >
>> >
>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>> >
>> > Has anyone successfully used Keycloak with OCLC's EZProxy?  We have been
>> > experimenting with Keycloak, and have been able to get it working with
>> > other SPs, but not EZProxy.
>> >
>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>> > systems if and only if that system uses an authentication sequence
>> > identical to a standard Shibboleth Identity Provider (IDP)."
>> >
>> > Thanks,
>> > Bill
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From cristi.cioriia at gmail.com  Mon Nov  7 09:31:29 2016
From: cristi.cioriia at gmail.com (Cristi Cioriia)
Date: Mon, 7 Nov 2016 16:31:29 +0200
Subject: [keycloak-user] Implement the Authorization Code Flow using KeyCloak
Message-ID: <CAMAhWCTYpR7AB_xkHU-W15yhG-LnwiKV0umYYFiqJ67s9BLm6A@mail.gmail.com>

Hi guys,

I've just installed Keycloak 2.3.0.Final and I would like to ask you how I
can implement an "Authorization Code Flow" using it.
I've looked at the Keycloak basics tutorial from youtube which explained
pretty well how thigns should work, but the 2.3 version has user interface
that is pretty different.
In the 2.3 UI, unlike in the 1.5 version that is used in the youtube
tutorial, there is no OAuth Client section and the Clients interface seems
to contain both the configuration for the Resource Server that contains the
protected resources that I want to access and for the third-party
application that I want to develop and that will call the protected
resources from the Resource Server. So the questions that I have in this
regard are :

1) How do I define several third-party applications that use the same
Resource Server?

2) Which are the configurations that are specific to the Resource Server
and which ones are the configurations that are specific to the third-party
application?

It seems to me that the Enable Authorization flag is specific to the
Resource Server because it allows me to manage resources through the
Authorization tab while Credentials tab is specific to the third-party
application, because it contains a Client-Id and a Secret that I can use to
request from the Authorization-Server an access token. More over, in the
Scope tab, I could use the "Client Roles" to define the scopes that I need
for my thrid-party app to request from a user of the Reosurce Server by the
authorization server and the Installation tab can be used by both types of
application to generate the Keycloak file that is used for configuring both
types of applications.
All the other settings seem to belong to the Resource Server application,
is this correct?

3) Is there a way to configure the consent screen for the user? E.g. I'd
like to allow the resource owner to enter some data, like "allow
transactions only for amounts below a X value", where X is the data entered
by the user.


Thanks,
Cristi

From michael_furman at hotmail.com  Mon Nov  7 09:49:30 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Mon, 7 Nov 2016 14:49:30 +0000
Subject: [keycloak-user] Can not authenticate user using Spring Security
	Adapter
Message-ID: <AM5PR0701MB2530230878AD58973D850654F4A70@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi,
I will appreciate your help on the issue below.
I try to configure Spring Security Adapter (version 2.3.0.Final):
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html

I suppose that Keycloak uses the static client registration since when I tries to connect without the client configuration in Keycloak I get the following:
16:15:43,174 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=st_1, userId=null, ipAddress=192.168.111.33, error=client_not_found

Please note that I was able to connect to Keycloak using non Keycloak OIDC client using the following configuration:
a) clientId
b) clientSecret
c) Scopes
d) redirectUris

Therefore I have configured the client at Keycloak using the same information.
I am not sure what is "Valid Redirect URIs" and I have configured the following value:
http://192.168.110.2:8081/app/sso/login
Now client redirects to Keycloak IDP using this URL
http://192.168.110.2:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=10%2Fc0079a4b-e896-4400-9357-77fdacde9a56&login=true&scope=openid

I authenticate the user and IDP returns URL back to the client using this URL:
http://192.168.110.2:8081/app/sso/login?state=14%2F9a4376fa-06e2-4188-a616-a182363dab3a&code=JzKXHOm7jRp5pkfT6GT6rRPZ5HOcZyGEB5uA-fjrk1I.7d91a145-76a5-4bc4-960f-f4a67f242fba

Unfortunately then I have the endless loop.
While I debug KeycloakAuthenticationProcessingFilter I see that AuthOutcome get value NOT_ATTEMPTED and it cause additional redirect to IDP.
What I missed?
I have opened the bug https://issues.jboss.org/browse/KEYCLOAK-3868 with attached json file and Spring Security configuration.

Best regards,
  Michael


From cristi.cioriia at gmail.com  Mon Nov  7 10:55:36 2016
From: cristi.cioriia at gmail.com (Cristi Cioriia)
Date: Mon, 7 Nov 2016 17:55:36 +0200
Subject: [keycloak-user] Implement the Authorization Code Flow using KeyCloak
Message-ID: <CAMAhWCQ+Av1qMawVmV_8hbDCr-fis8iy1VUM5yA3GJA2mYd2Mg@mail.gmail.com>

Hi guys,

I've just installed Keycloak 2.3.0.Final and I would like to ask you how I
can implement an "Authorization Code Flow" using it.
I've looked at the Keycloak basics tutorial from youtube which explained
pretty well how thigns should work, but the 2.3 version has user interface
that is pretty different.
In the 2.3 UI, unlike in the 1.5 version that is used in the youtube
tutorial, there is no OAuth Client section and the Clients interface seems
to contain both the configuration for the Resource Server that contains the
protected resources that I want to access and for the third-party
application that I want to develop and that will call the protected
resources from the Resource Server. So the questions that I have in this
regard are :

1) How do I define several third-party applications that use the same
Resource Server?

2) Which are the configurations that are specific to the Resource Server
and which ones are the configurations that are specific to the third-party
application?

It seems to me that the Enable Authorization flag is specific to the
Resource Server because it allows me to manage resources through the
Authorization tab while Credentials tab is specific to the third-party
application, because it contains a Client-Id and a Secret that I can use to
request from the Authorization-Server an access token. More over, in the
Scope tab, I could use the "Client Roles" to define the scopes that I need
for my thrid-party app to request from a user of the Reosurce Server by the
authorization server and the Installation tab can be used by both types of
application to generate the Keycloak file that is used for configuring both
types of applications.
All the other settings seem to belong to the Resource Server application,
is this correct?

3) Is there a way to configure the consent screen for the user? E.g. I'd
like to allow the resource owner to enter some data, like "allow
transactions only for amounts below a X value", where X is the data entered
by the user.


Thanks,
Cristi

From bepittman at amplify.com  Mon Nov  7 13:50:32 2016
From: bepittman at amplify.com (Ben Pittman)
Date: Mon, 7 Nov 2016 13:50:32 -0500
Subject: [keycloak-user] Possible to create a
	SecurityIdentityProviderFactory with custom provider?
Message-ID: <CAHft2WE0TfnZCR9Qzf-RAOvfzJLvZcoQNRh7NUuYbVTm2hNe3A@mail.gmail.com>

I'm running Keycloak 1.9.8.Final.  I just want to add another social
provider with some custom logic (boilerplate OpenID won't work in my
case).  I've registered my module that
overrides SecurityIdentityProviderFactory and provided my own Provider and
Factory classes but get a 'resource not found' when I try and access the
provider from the Keycloak UI.

I've also tried adding my own LoginProtocolFactory module and I see it get
registered on startup but there is no item for it in the 'add provider'
identity drop-down.....

Is what I'm trying to do just not possible?  Or is there something obvious
I'm missing outside of registering modules above to get this to work?

Regards,
Ben

From alan.gibson at gmail.com  Mon Nov  7 16:32:18 2016
From: alan.gibson at gmail.com (Alan Gibson)
Date: Mon, 7 Nov 2016 22:32:18 +0100
Subject: [keycloak-user] High Utilization with Keycloak Spring Boot adapter
Message-ID: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>

Hello all,

During load testing the REST API of a Spring Boot based microservice, we
noticed that Keycloak was forming a huge bottleneck. We had 3 instances of
Keycloak (running in clustered mode), each of which was consuming 100% of 8
Xeon CPUs, while only hitting about 80 API calls per second. The load test
itself used 800 concurrent users, each doing 1 HTTP request every 100
milliseconds.

It looks like every time a POST is made to the REST API, Spring Boot makes
a call to Keycloak to (re)authenticate the user. The Keycloak logs are
filled with:

2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid-
connect/token
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
AUTHENTICATE CLIENT
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
client authenticator: client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
client authenticator SUCCESS: client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
Client devicereportreceiver authenticated by client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
AUTHENTICATE ONLY
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
processFlow
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-username requirement: REQUIRED
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-username
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
authenticator SUCCESS: direct-grant-validate-username
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-password requirement: REQUIRED
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-password
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:07,821 DEBUG
[org.hibernate.engine.transaction.internal.TransactionImpl]
(default task-74) begin
2016-11-06 11:48:07,821 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(default task-74) KeycloakDS: getConnection(null,
WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
authenticator SUCCESS: direct-grant-validate-password
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-otp requirement: OPTIONAL
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-otp
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
authenticator ATTEMPTED: direct-grant-validate-otp
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
Using full scope for client
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
Using full scope for client
2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED,
client_auth_method=client-secret, username=REMOVED
2016-11-06 11:48:09,739 DEBUG
[org.hibernate.engine.transaction.internal.TransactionImpl]
(default task-74) committing
2016-11-06 11:48:09,751 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]

The Spring Boot application.properties looks like

keycloak.realm=REMOVED
keycloak.realmKey=REMOVED
keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
keycloak.ssl-required=none
keycloak.resource=REMOVED
#keycloak.use-resource-role-mappings=true
keycloak.enable-basic-auth=true
keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
keycloak.cors=true
keycloak.cors-allowed-headers=x-requested-with,origin,content-type,accept,
authorization
keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
keycloak.cors-max-age=3600
keycloak.expose-token=true
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/REMOVED
keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
keycloak.securityConstraints[1].securityCollections[0].authRoles[0]=DEVICE
keycloak.securityConstraints[1].securityCollections[0].
patterns[0]=/REMOVED/*

So my questions are:

1. Would you expect to see this kind of high utilization with my test
scenario?

2. Should the Keycloak Spring Boot adapter be reauthenticating with every
request, as opposed to caching the authentication results for a short
period of time, or just relying on normal HTTP sessions?

Br,
Alan

From thomas.raehalme at aitiofinland.com  Tue Nov  8 00:02:59 2016
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 8 Nov 2016 07:02:59 +0200
Subject: [keycloak-user] High Utilization with Keycloak Spring Boot
	adapter
In-Reply-To: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>
References: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>
Message-ID: <CAPyAMoZh0GrCOe=sBKC6G2Pp0LVbzwLUy9UTUEBC4PAEK83KCA@mail.gmail.com>

Hi!

With direct access grants and Basic auth you should authenticate with the
first request, then rely on the HttpSession for the subsequent ones. Every
request with the Basic auth header opens a new SSO session within Keycloak.

Best regards,
Thomas

On Nov 7, 2016 11:33 PM, "Alan Gibson" <alan.gibson at gmail.com> wrote:

Hello all,

During load testing the REST API of a Spring Boot based microservice, we
noticed that Keycloak was forming a huge bottleneck. We had 3 instances of
Keycloak (running in clustered mode), each of which was consuming 100% of 8
Xeon CPUs, while only hitting about 80 API calls per second. The load test
itself used 800 concurrent users, each doing 1 HTTP request every 100
milliseconds.

It looks like every time a POST is made to the REST API, Spring Boot makes
a call to Keycloak to (re)authenticate the user. The Keycloak logs are
filled with:

2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid-
connect/token
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
AUTHENTICATE CLIENT
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
client authenticator: client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
client authenticator SUCCESS: client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
Client devicereportreceiver authenticated by client-secret
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
AUTHENTICATE ONLY
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
processFlow
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-username requirement: REQUIRED
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-username
2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
authenticator SUCCESS: direct-grant-validate-username
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-password requirement: REQUIRED
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-password
2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:07,821 DEBUG
[org.hibernate.engine.transaction.internal.TransactionImpl]
(default task-74) begin
2016-11-06 11:48:07,821 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(default task-74) KeycloakDS: getConnection(null,
WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
authenticator SUCCESS: direct-grant-validate-password
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
check execution: direct-grant-validate-otp requirement: OPTIONAL
2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
authenticator: direct-grant-validate-otp
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
invoke authenticator.authenticate
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
authenticator ATTEMPTED: direct-grant-validate-otp
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
Using full scope for client
2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
Using full scope for client
2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED,
client_auth_method=client-secret, username=REMOVED
2016-11-06 11:48:09,739 DEBUG
[org.hibernate.engine.transaction.internal.TransactionImpl]
(default task-74) committing
2016-11-06 11:48:09,751 DEBUG
[org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
(default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]

The Spring Boot application.properties looks like

keycloak.realm=REMOVED
keycloak.realmKey=REMOVED
keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
keycloak.ssl-required=none
keycloak.resource=REMOVED
#keycloak.use-resource-role-mappings=true
keycloak.enable-basic-auth=true
keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
keycloak.cors=true
keycloak.cors-allowed-headers=x-requested-with,origin,content-type,accept,
authorization
keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
keycloak.cors-max-age=3600
keycloak.expose-token=true
keycloak.bearer-only=true
keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/REMOVED
keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
keycloak.securityConstraints[1].securityCollections[0].authRoles[0]=DEVICE
keycloak.securityConstraints[1].securityCollections[0].
patterns[0]=/REMOVED/*

So my questions are:

1. Would you expect to see this kind of high utilization with my test
scenario?

2. Should the Keycloak Spring Boot adapter be reauthenticating with every
request, as opposed to caching the authentication results for a short
period of time, or just relying on normal HTTP sessions?

Br,
Alan
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Tue Nov  8 02:08:15 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 8 Nov 2016 08:08:15 +0100
Subject: [keycloak-user] Possible to create a
 SecurityIdentityProviderFactory with custom provider?
In-Reply-To: <CAHft2WE0TfnZCR9Qzf-RAOvfzJLvZcoQNRh7NUuYbVTm2hNe3A@mail.gmail.com>
References: <CAHft2WE0TfnZCR9Qzf-RAOvfzJLvZcoQNRh7NUuYbVTm2hNe3A@mail.gmail.com>
Message-ID: <CAJgngAckDmgHgLqj9=OBcr2MA0yu=ubLceofF3kuVvvfj672KQ@mail.gmail.com>

No such thing as a SecurityIdentityProvider. You want to create a provider
of SocialIdentityProvider. For example take a look at the Google provider:

https://github.com/keycloak/keycloak/blob/292777259e65a78b1df0bfd8578a2ff8bc22fc21/services/src/main/java/org/keycloak/social/google/GoogleIdentityProvider.java

What social provider are you adding? Maybe you'd like to contribute it to
us if it's a well known one.

On 7 November 2016 at 19:50, Ben Pittman <bepittman at amplify.com> wrote:

> I'm running Keycloak 1.9.8.Final.  I just want to add another social
> provider with some custom logic (boilerplate OpenID won't work in my
> case).  I've registered my module that
> overrides SecurityIdentityProviderFactory and provided my own Provider and
> Factory classes but get a 'resource not found' when I try and access the
> provider from the Keycloak UI.
>
> I've also tried adding my own LoginProtocolFactory module and I see it get
> registered on startup but there is no item for it in the 'add provider'
> identity drop-down.....
>
> Is what I'm trying to do just not possible?  Or is there something obvious
> I'm missing outside of registering modules above to get this to work?
>
> Regards,
> Ben
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From solsson at gmail.com  Tue Nov  8 05:59:10 2016
From: solsson at gmail.com (Staffan)
Date: Tue, 8 Nov 2016 11:59:10 +0100
Subject: [keycloak-user] Expose JGroups ports in Docker keycloak-ha-postgres
Message-ID: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>

Hi,

I've tried in different docker environments (compose, kubernetes,
standalone) to get a HA setup running using https://hub.docker.com/r/
jboss/keycloak-ha-postgres/.

Keycloak nodes start, but are unaware of each other. I fail to reach the
JGroups ports from any other container or host system. That is expected, as
https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.3/topics/clustering/multicast.html
advises you to configure jboss.bind.address.private.

But when I try -Djboss.bind.address.private=0.0.0.0 there's an error during
startup:

MSC000001: Failed to start service jboss.jgroups.channel.ee:
org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
java.security.PrivilegedActionException: java.net.BindException: [UDP] /
0.0.0.0 is not a valid address on any local network interface
    at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
ChannelBuilder.java:80)
Caused by: java.security.PrivilegedActionException: java.net.BindException:
[UDP] /0.0.0.0 is not a valid address on any local network interface
    at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
WildFlySecurityManager.java:640)
Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address on
any local network interface
    at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)

... or if I switch to stack="tcp" in the jgroups subsystem:

MSC000001: Failed to start service jboss.jgroups.channel.ee:
org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
java.security.PrivilegedActionException: java.net.BindException: [TCP] /
0.0.0.0 is not a valid address on any local network interface

I guess this is a generic Wildfly topic, but I'm curious how the official
Keycloak docker containers are tested. In a docker environment, what can we
bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
"privileged action"?

regards
Staffan Olsson

From michael_furman at hotmail.com  Tue Nov  8 06:09:17 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Tue, 8 Nov 2016 11:09:17 +0000
Subject: [keycloak-user] Creation UI for new authentication schema
 configuration.
In-Reply-To: <AM5PR0701MB25304F552541949B21743A52F4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25307D2FA052B7538C85C096F4AB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAe4_f0mnZwLVs_mpm-yVv_ALUfdudWxZ72k3VxeF7gqrA@mail.gmail.com>
	<DB6PR0701MB2533917886FEA5AFE23D122FF4AF0@DB6PR0701MB2533.eurprd07.prod.outlook.com>
	<CAJgngAf1RwSOY1HMxVYe4zcZ-RjqSqJg=G21Bp8jpeucbDRRpg@mail.gmail.com>
	<AM5PR0701MB2530E3F1E04F65A279A7F887F4AE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcOCM_s33ZNhonpq_VFzSTU0NuLnZU+v3TqHVwWOBZE7Q@mail.gmail.com>
	<AM5PR0701MB2530583A8C32BFC724F3241CF4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAJgngAcjg25FnZ9qU=0wy2PzuLBVN_gPNLke6R6m+audJ49v5g@mail.gmail.com>
	<CAJgngAeaz=RoXTq_smJqYXi+6xnqb_196NXOoRf8-UwreqF0fQ@mail.gmail.com>
	<AM5PR0701MB2530DE10BEB5A244449AE17FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
	<CAK-7U1gZwDyeV2q0inAihKnor9HSGeCzJTDBzBpGEwEeh6htvw@mail.gmail.com>
	<AM5PR0701MB25301A461545D524D7C0AB7FF4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<9f82bf70-ff9e-2216-16f4-d9cbd1346df1@redhat.com>,
	<AM5PR0701MB25304F552541949B21743A52F4A40@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <AM5PR0701MB25309105B7A73152289B465BF4A60@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi all,

Can anyone to help with this issue?

Is it possible to support flows described below ?

Is it possible to configure authenticators via generated REST API (or we need to create REST API for each authenticator)?


Also, what I missed in the implementation of my authenticator?

https://issues.jboss.org/browse/KEYCLOAK-3867

Best regards,

   Michael



________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
Sent: Sunday, November 6, 2016 6:14 PM
To: Bill Burke; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Hi Bill,


Please note that RADIUS can provide the authentication service only and can not provide the user details (first name, last name, email).

Please remind that I want to configure the authentication flow as the following:

Cookie - ALTERNATIVE

Radius - ALTERNATIVE

Forms Subflow - ALTERNATIVE



Regarding your question I can see the following use cases.


    1) User does not exists in the Keycloak's DB but exists in the RADIUS server. In this case the authentication against the RADIUS server will success and the user will be authenticated.
    The user information will contain only the user name.
    2) User exists in the Keycloak's DB and exists in the RADIUS server. In this case the authentication against the RADIUS server will success and the user will populate the user information from the Keycloak's DB.
    The user information will contain the user name, first name, last name, email and other information
    3) User exists in the Keycloak's DB but does not exist in the RADIUS server. In this case the authentication against the Keycloak's DB will success and the user will populate the user information from the Keycloak's DB.
    The user information will contain the user name, first name, last name, email and other information.
    4) User does not exist in the Keycloak's DB and does not exist in the RADIUS server. In this case the authentication will fail.



Is it possible to support it?


________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Bill Burke <bburke at redhat.com>
Sent: Sunday, November 6, 2016 5:33 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.

Where is the user going to live?  In Keycloak's DB?  Or does Radius
store and provide info about the user?


On 11/6/16 8:38 AM, Michael Furman wrote:
> I still need a help.
> The example for the secret question is good but I need other example.
> I am in the middle of POC that will help us to understand if we can use Keycloak in our production.
> It contains a lot of aspects (creating of other authenticators, creating of our own UI over Keycloak etc.).
>
> In this thread I just want to create the authenticator that will take a user name and a user password and will authenticate against a Radius server.
> If it will fails, the default UsernamePasswordForm authenticator should handle the authentication.
>
> I will really appreciate if somebody will help me with the following questions.
>
>
>    1.  Do you have the example that shows how to create simple user name and password authenticator?
>    2.  How can I configure the authentication provider via REST API?
> Will be generated configuration Rest API automatically?
>
>    3.  I have created the simple authenticator that overrides UsernamePasswordForm.
> It appears in UI.
> Unfortunately the request does not come to my implementation.
> What I have missed?
> I have opened bug and attached sources: https://issues.jboss.org/browse/KEYCLOAK-3867
>
> Best regards,
>     Michael
>
>
>
>
> ________________________________
> From: Thomas Darimont <thomas.darimont at googlemail.com>
> Sent: Sunday, November 6, 2016 11:42 AM
> To: Michael Furman
> Cc: Stian Thorgersen; keycloak-user at lists.jboss.org
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Hello Michael,
>
> if you want to create a custom browser flow by copying the original browser flow you need to bind your custom browser flow
> on the "Authentication -> Bindings" tab where you link your custom browser flow to be used as "the" browser flow.
>
> Cheers,
> Thomas
>
> 2016-11-06 10:33 GMT+01:00 Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>:
> Hi Stian,
> I was able to add the authentication provider in 2.3.0 but only to the copied flow.
>
>    1.  Why I can not add the execution to the Browser flow?
> If I copy the browser flow (and call it Browser2 flow) what flow will be default for the browser authentication?
> How can I configure the new Browser2 flow will be default for the browser authentications?
>    2.  Will be generated Rest API for the configuration of the authentication provider?
> How can I configure via REST API.
>
>
> Best regards,
>     Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
> Sent: Friday, November 4, 2016 7:52 AM
> To: Stian Thorgersen
> Cc: Michael Furman; keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> FIY we did check this example for 2.3.0.CR1 release so I doubt it's broken
>
> On 4 November 2016 at 06:51, Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>> wrote:
> I don't know what you mean by it is not recognized by Keycloak. Did you follow the steps in the example to register it? See https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>

keycloak/keycloak<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services


[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>

keycloak/keycloak<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>
[https://avatars0.githubusercontent.com/u/4921466?v=3&s=400]<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>

keycloak/keycloak<https://github.com/keycloak/keycloak/blob/master/examples/providers/authenticator/README.md>
github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services


github.com
keycloak - Open Source Identity and Access Management For Modern Applications and Services


>
> On 3 November 2016 at 20:14, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
>
> Hi,
>
> Unfortunately I can not deploy the example authentication provider to Keycloak
>
>
> Who can help?
>
>
> I have compiled authenticator-required-action-example from the examples.
> I copied the provider jar into the ?standalone/configuration/providers? directory according to the document:
> https://keycloak.gitbooks.io/server-developer-guide/content/v/2.2/topics/auth-spi.html
>
> Unfortunately Keycloak does not recognize the provider.
> Than I have copied it to the ?providers? folder under the root Keycloak folder.
> Also without success .
>
>
> I have opened an issue https://issues.jboss.org/browse/KEYCLOAK-3856
>
>
> Best regards,
>
>     Michael
>
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Tuesday, November 1, 2016 11:08 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> On the config for the authenticator. Please look at the docs and also the example it explains this pretty well.
>
> On 31 October 2016 at 13:47, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks,
> Where I will see the generated UI?
> On the authentication page?
> http://localhost:8080/auth/admin/master/console/#/realms/master/authentication/flows/browser
> Also, can I add / update the authenticator configuration via REST API?
> http://www.keycloak.org/docs/rest-api/#_update_authenticator_configuration
> Thank you in advance for your help.
> Best regards,
>     Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Monday, October 31, 2016 8:00 AM
>
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> Configuration UI is generated based on what's returned by the getConfigProperties method
>
> On 30 October 2016 at 12:28, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Thanks Stian,
> I will happy for the additional clarifications.
> I have looked in https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html but was not able to find a lot.
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


> I think that the following is relevant:
>
> The next few methods define how the Authenticator can be configured.
> ?
> The getConfigProperties() method returns a list of ProviderConfigProperty objects. These objects define a specific configuration attribute.
>
> But according to my understanding the configuration should appear in the Authenticator configuration UI.
> Therefore, how should I create the UI?
>
> Additional question: will the new Authenticator appear in Authentication Flows:
> https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html
Authentication Flows | Server Administration Guide<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html>
keycloak.gitbooks.io
An authentication flow is a container for all authentications, screens, and actions that must happen during login, registration, and other Keycloak workflows.


Authentication Flows | Server Administration Guide<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html>
Authentication Flows | Server Administration Guide<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/authentication/flows.html>
keycloak.gitbooks.io
An authentication flow is a container for all authentications, screens, and actions that must happen during login, registration, and other Keycloak workflows.


keycloak.gitbooks.io
An authentication flow is a container for all authentications, screens, and actions that must happen during login, registration, and other Keycloak workflows.


> Will I be able to configure Required / Optional / Disabled for the new the new Authenticator?
> Thank you in advance for your help.
> Best regards,
>     Michael
>
>
> ________________________________
> From: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com><mailto:sthorger at redhat.com<mailto:sthorger at redhat.com>>>
> Sent: Thursday, October 27, 2016 9:57 AM
> To: Michael Furman
> Cc: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> Subject: Re: [keycloak-user] Creation UI for new authentication schema configuration.
>
> We don't support that directly so you would have to develop your own custom authenticator for it. The doc you linked describes how to do that.
>
> On 26 October 2016 at 17:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com><mailto:michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>>> wrote:
> Hi all,
> I want to add support for the new authentication schema.
> How can I add UI for new authentication schema configuration?
> For example, I want to add the TACACS authentication schema.
> Therefore I need to configure the TACACS server IP and the secret.
> May be I have missed but I can not find it here:
> https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
Authentication SPI | Server Developer Guide<https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-spi.html>
keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


keycloak.gitbooks.io
Authentication Flow. A flow is a container for all authentications that must happen during login or registration. If you go to the admin console authentication page ...


>
> Thank you in advance for your help.
> Best regards,
>     Michael
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org><mailto:keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


>
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From michael_furman at hotmail.com  Tue Nov  8 07:30:49 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Tue, 8 Nov 2016 12:30:49 +0000
Subject: [keycloak-user] Keycloak Commercial support
Message-ID: <AM5PR0701MB2530A05C41DECEFD81799896F4A60@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Dear people,


How can we get the Keycloak Commercial support?


Can not find any information except this:

http://blog.keycloak.org/2016/03/commercial-support.html


<http://blog.keycloak.org/2016/03/commercial-support.html>

What the commercial support will include?


Will it support faster answer on the questions?

Faster bug resolution?


Thank you in advance,


Michael

From ssilvert at redhat.com  Tue Nov  8 08:00:07 2016
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 08 Nov 2016 08:00:07 -0500
Subject: [keycloak-user] Keycloak Commercial support
In-Reply-To: <AM5PR0701MB2530A05C41DECEFD81799896F4A60@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530A05C41DECEFD81799896F4A60@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <5821CC57.70803@redhat.com>

RedHat Single Sign-on is the supported version.  It is sold as part of a 
larger bundle.  You get everything you are asking for and a lot more.  
IMO, the biggest benefit is guaranteed security updates to all supported 
versions. That's pretty crucial for a production system.

Here is more info.  You will need to get in touch with an account manager.
https://access.redhat.com/products/red-hat-single-sign-on#support

On 11/8/2016 7:30 AM, Michael Furman wrote:
> Dear people,
>
>
> How can we get the Keycloak Commercial support?
>
>
> Can not find any information except this:
>
> http://blog.keycloak.org/2016/03/commercial-support.html
>
>
> <http://blog.keycloak.org/2016/03/commercial-support.html>
>
> What the commercial support will include?
>
>
> Will it support faster answer on the questions?
>
> Faster bug resolution?
>
>
> Thank you in advance,
>
>
> Michael
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From pygator at linux.com  Tue Nov  8 08:38:35 2016
From: pygator at linux.com (Ricardo Chu)
Date: Tue, 8 Nov 2016 08:38:35 -0500
Subject: [keycloak-user] Keycloak with EZproxy
In-Reply-To: <CAJgngAe6ZcgeVksRJEFuooaPojV4P=dLedCfprK2y4tShP9pjw@mail.gmail.com>
References: <DM5PR08MB2428E4C9797AB3D908A6C2A9B8E20@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAdhkxKf_wfCE2ToBBx9vXts9Vg_XzToX3SkwZTtohdDJw@mail.gmail.com>
	<DM5PR08MB2428FF5C2B55A7D83A4B431CB8C80@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAcjWJiyPSftd+npttdUiKNqxWsYpWh8_kypnAY7iNhwNQ@mail.gmail.com>
	<CAN_wU+Ysrf+2MxJCKxsxU1t1uS6Ex4rgsZeQ1=_KydwKCsCZow@mail.gmail.com>
	<CAJgngAe6ZcgeVksRJEFuooaPojV4P=dLedCfprK2y4tShP9pjw@mail.gmail.com>
Message-ID: <CAN_wU+aNyXittA=bie=+zJj-F4EHY43Y42XcoEd_GKBVBEJnHA@mail.gmail.com>

Stian,
We set the "Client Signature Required" to off. See print screen here:
https://drive.google.com/open?id=0B7GnoaXLMbnOS1l4dkNmQjFPSUk

I restarted keycloak and attempted to login via ezproxy.  It looks like we
get a little further down the login process but now get a NPE.

You can see the log excerpt here: https://bitbucket.org/snippets/rachu/ddRze

Rick

On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> First guess is that EZProxy is not signing the login assertion and the
> client is configured in KC admin console to require signatures. Try turning
> "Client Signature Required" off for the client in the Keycloak admin
> console.
>
> On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:
>
>> Here is the trace output of this problem:
>> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>>
>> This log includes the startup of keycloak and the login attempt.  The
>> login fails and the message "invalid requester" is displayed in the
>> browser..
>>
>> The trace shows the "Invalid signature on document" message.
>> Line 5211 says "Cannot find Signature element".
>>
>> Any idea what may cause this?
>>
>> Rick
>>
>> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> "XML External Entity switches are not supported.  You may get XML
>>> injection
>>> vulnerabilities." is just a warning and shouldn't have anything to do
>>> with
>>> the issue.
>>>
>>> Try enabling trace logging for org.keycloak and see if you get any more
>>> details.
>>>
>>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>
>>> > Thanks.
>>> >
>>> >
>>> >
>>> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
>>> > following log entries on the Keycloak server:
>>> >
>>> >
>>> >
>>> > 2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default
>>> task-1)
>>> > XML External Entity switches are not supported.  You may get XML
>>> injection
>>> > vulnerabilities.
>>> >
>>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.SamlService]
>>> > (default task-1) request validation failed:
>>> org.keycloak.common.VerificationException:
>>> > Invalid signature on document
>>> >
>>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>>> >
>>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>>> >
>>> >                 at org.keycloak.protocol.saml.SamlService$
>>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>>> >
>>> >                 at org.keycloak.protocol.saml.Sam
>>> lService$BindingProtocol.
>>> > handleSamlRequest(SamlService.java:186)
>>> >
>>> >                 at org.keycloak.protocol.saml.SamlService$
>>> > PostBindingProtocol.execute(SamlService.java:428)
>>> >
>>> >                 at org.keycloak.protocol.saml.SamlService.postBinding(
>>> > SamlService.java:504)
>>> >
>>> >                 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>> > Method)
>>> >
>>> >                 at sun.reflect.NativeMethodAccessorImpl.invoke(
>>> > NativeMethodAccessorImpl.java:62)
>>> >
>>> >                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>> > DelegatingMethodAccessorImpl.java:43)
>>> >
>>> >                 at java.lang.reflect.Method.invoke(Method.java:498)
>>> >
>>> >                 at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>> > MethodInjectorImpl.java:139)
>>> >
>>> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.
>>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>>> >
>>> >                 at org.jboss.resteasy.core.Resour
>>> ceMethodInvoker.invoke(
>>> > ResourceMethodInvoker.java:249)
>>> >
>>> >                 at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>> >
>>> >                 at org.jboss.resteasy.core.Resour
>>> ceLocatorInvoker.invoke(
>>> > ResourceLocatorInvoker.java:101)
>>> >
>>> >                 at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(
>>> > SynchronousDispatcher.java:395)
>>> >
>>> >                 at org.jboss.resteasy.core.Synchr
>>> onousDispatcher.invoke(
>>> > SynchronousDispatcher.java:202)
>>> >
>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>> > ServletContainerDispatcher.service(ServletContainerDispatche
>>> r.java:221)
>>> >
>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> >
>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> >
>>> >                 at javax.servlet.http.HttpServlet.service(
>>> > HttpServlet.java:790)
>>> >
>>> >                 at io.undertow.servlet.handlers.
>>> > ServletHandler.handleRequest(ServletHandler.java:85)
>>> >
>>> >                 at io.undertow.servlet.handlers.
>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> >
>>> >                 at org.keycloak.services.filters.
>>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>>> > java:90)
>>> >
>>> >                 at io.undertow.servlet.core.ManagedFilter.doFilter(
>>> > ManagedFilter.java:60)
>>> >
>>> >                 at io.undertow.servlet.handlers.
>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> >
>>> >                 at io.undertow.servlet.handlers.
>>> > FilterHandler.handleRequest(FilterHandler.java:84)
>>> >
>>> >                 at io.undertow.servlet.handlers.security.
>>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>>> > java:62)
>>> >
>>> >                 at io.undertow.servlet.handlers.S
>>> ervletDispatchingHandler.
>>> > handleRequest(ServletDispatchingHandler.java:36)
>>> >
>>> >                 at org.wildfly.extension.undertow.security.
>>> > SecurityContextAssociationHandler.handleRequest(
>>> > SecurityContextAssociationHandler.java:78)
>>> >
>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> >                 at io.undertow.servlet.handlers.security.
>>> > SSLInformationAssociationHandler.handleRequest(
>>> > SSLInformationAssociationHandler.java:131)
>>> >
>>> >                 at io.undertow.servlet.handlers.security.
>>> > ServletAuthenticationCallHandler.handleRequest(
>>> > ServletAuthenticationCallHandler.java:57)
>>> >
>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> >                 at io.undertow.security.handlers.
>>> > AbstractConfidentialityHandler.handleRequest(
>>> > AbstractConfidentialityHandler.java:46)
>>> >
>>> >                 at io.undertow.servlet.handlers.security.
>>> > ServletConfidentialityConstraintHandler.handleRequest(
>>> > ServletConfidentialityConstraintHandler.java:64)
>>> >
>>> >                 at io.undertow.security.handlers.
>>> > AuthenticationMechanismsHandler.handleRequest(
>>> > AuthenticationMechanismsHandler.java:60)
>>> >
>>> >                 at io.undertow.servlet.handlers.security.
>>> > CachedAuthenticatedSessionHandler.handleRequest(
>>> > CachedAuthenticatedSessionHandler.java:77)
>>> >
>>> >                 at io.undertow.security.handlers.
>>> > NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.
>>> > java:50)
>>> >
>>> >                 at io.undertow.security.handlers.
>>> > AbstractSecurityContextAssociationHandler.handleRequest(
>>> > AbstractSecurityContextAssociationHandler.java:43)
>>> >
>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> >                 at org.wildfly.extension.undertow.security.jacc.
>>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> >
>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>> > handleRequest(PredicateHandler.java:43)
>>> >
>>> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
>>> > handleFirstRequest(ServletInitialHandler.java:284)
>>> >
>>> >                 at io.undertow.servlet.handlers.ServletInitialHandler.
>>> > dispatchRequest(ServletInitialHandler.java:263)
>>> >
>>> >                 at io.undertow.servlet.handlers.
>>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> >
>>> >                 at io.undertow.servlet.handlers.S
>>> ervletInitialHandler$1.
>>> > handleRequest(ServletInitialHandler.java:174)
>>> >
>>> >                 at io.undertow.server.Connectors.
>>> > executeRootHandler(Connectors.java:202)
>>> >
>>> >                 at io.undertow.server.HttpServerExchange$1.run(
>>> > HttpServerExchange.java:793)
>>> >
>>> >                 at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>> > ThreadPoolExecutor.java:1142)
>>> >
>>> >                 at java.util.concurrent.ThreadPoolExecutor$Worker.run(
>>> > ThreadPoolExecutor.java:617)
>>> >
>>> >                 at java.lang.Thread.run(Thread.java:745)
>>> >
>>> >
>>> >
>>> > 2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1)
>>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>>> > ipAddress=192.168.33.51, error=invalid_signature
>>> >
>>> >
>>> >
>>> > I have verified that the keys on the client match the server.  Does the
>>> > XML External Entities have something to do with this?
>>> >
>>> >
>>> >
>>> > Any help is appreciated.
>>> >
>>> >
>>> >
>>> > Thanks,
>>> >
>>> > Bill
>>> >
>>> >
>>> >
>>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>>> > *To:* Bill Kuntz
>>> > *Cc:* keycloak-user at lists.jboss.org
>>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>>> >
>>> >
>>> >
>>> > Not sure what they mean about "authentication sequence identical to a
>>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>>> configurable
>>> > so it should be possible to adapt the SAML configuration for the
>>> client to
>>> > make it work with EZProxy.
>>> >
>>> >
>>> >
>>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>>> >
>>> > Has anyone successfully used Keycloak with OCLC's EZProxy?  We have
>>> been
>>> > experimenting with Keycloak, and have been able to get it working with
>>> > other SPs, but not EZProxy.
>>> >
>>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>>> > systems if and only if that system uses an authentication sequence
>>> > identical to a standard Shibboleth Identity Provider (IDP)."
>>> >
>>> > Thanks,
>>> > Bill
>>> >
>>> >
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> >
>>> >
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From alan.gibson at gmail.com  Tue Nov  8 08:59:13 2016
From: alan.gibson at gmail.com (Alan Gibson)
Date: Tue, 8 Nov 2016 14:59:13 +0100
Subject: [keycloak-user] High Utilization with Keycloak Spring Boot
	adapter
In-Reply-To: <CAPyAMoZh0GrCOe=sBKC6G2Pp0LVbzwLUy9UTUEBC4PAEK83KCA@mail.gmail.com>
References: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>
	<CAPyAMoZh0GrCOe=sBKC6G2Pp0LVbzwLUy9UTUEBC4PAEK83KCA@mail.gmail.com>
Message-ID: <CAD+Wi2QV1VYkvE6kt6RMmDa-mhgZoWpLx6rhD8yn=4kUc128Zw@mail.gmail.com>

Thanks for the info Thomas. Can you clarify what you mean by "rely on the
HttpSession for the subsequent ones"? I've got Spring Session configured in
the Spring Boot service, but that doesn't seem to make any difference.

    <dependency>
        <groupId>org.springframework.session</groupId>
  <artifactId>spring-session</artifactId>
    </dependency>

    @EnableSpringHttpSession
    @Configuration
    public class SpringHttpSessionConfig {
@Bean
public MapSessionRepository sessionRepository() {
       return new MapSessionRepository();
}
    }

AFAIK, the Basic auth header is supposed to be sent with every HTTP
request. So if every request with Basic auth headers results in a new SSO
session within Keycloak, then it would seem that there is no (standards
compliant) way to use Basic auth without hammering Keycloak and opening
loads of sessions.

I assume I'm missing something really obvious here, but I can't think of
what. Does keycloak-spring-boot-adapter just not work as a transparent
'proxy' for Basic auth this way?

Br, Alan

On Tue, Nov 8, 2016 at 6:02 AM, Thomas Raehalme <
thomas.raehalme at aitiofinland.com> wrote:

> Hi!
>
> With direct access grants and Basic auth you should authenticate with the
> first request, then rely on the HttpSession for the subsequent ones. Every
> request with the Basic auth header opens a new SSO session within Keycloak.
>
> Best regards,
> Thomas
>
> On Nov 7, 2016 11:33 PM, "Alan Gibson" <alan.gibson at gmail.com> wrote:
>
> Hello all,
>
> During load testing the REST API of a Spring Boot based microservice, we
> noticed that Keycloak was forming a huge bottleneck. We had 3 instances of
> Keycloak (running in clustered mode), each of which was consuming 100% of 8
> Xeon CPUs, while only hitting about 80 API calls per second. The load test
> itself used 800 concurrent users, each doing 1 HTTP request every 100
> milliseconds.
>
> It looks like every time a POST is made to the REST API, Spring Boot makes
> a call to Keycloak to (re)authenticate the user. The Keycloak logs are
> filled with:
>
> 2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid-
> connect/token
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> AUTHENTICATE CLIENT
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> client authenticator: client-secret
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> client authenticator SUCCESS: client-secret
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> Client devicereportreceiver authenticated by client-secret
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> AUTHENTICATE ONLY
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> processFlow
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> check execution: direct-grant-validate-username requirement: REQUIRED
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> authenticator: direct-grant-validate-username
> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
> invoke authenticator.authenticate
> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
> authenticator SUCCESS: direct-grant-validate-username
> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
> check execution: direct-grant-validate-password requirement: REQUIRED
> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
> authenticator: direct-grant-validate-password
> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
> invoke authenticator.authenticate
> 2016-11-06 11:48:07,821 DEBUG
> [org.hibernate.engine.transaction.internal.TransactionImpl]
> (default task-74) begin
> 2016-11-06 11:48:07,821 DEBUG
> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
> (default task-74) KeycloakDS: getConnection(null,
> WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
> authenticator SUCCESS: direct-grant-validate-password
> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
> check execution: direct-grant-validate-otp requirement: OPTIONAL
> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
> authenticator: direct-grant-validate-otp
> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
> invoke authenticator.authenticate
> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
> authenticator ATTEMPTED: direct-grant-validate-otp
> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
> Using full scope for client
> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
> Using full scope for client
> 2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
> type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
> ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
> grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED,
> client_auth_method=client-secret, username=REMOVED
> 2016-11-06 11:48:09,739 DEBUG
> [org.hibernate.engine.transaction.internal.TransactionImpl]
> (default task-74) committing
> 2016-11-06 11:48:09,751 DEBUG
> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
> (default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]
>
> The Spring Boot application.properties looks like
>
> keycloak.realm=REMOVED
> keycloak.realmKey=REMOVED
> keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
> keycloak.ssl-required=none
> keycloak.resource=REMOVED
> #keycloak.use-resource-role-mappings=true
> keycloak.enable-basic-auth=true
> keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
> keycloak.cors=true
> keycloak.cors-allowed-headers=x-requested-with,origin,content-type,accept,
> authorization
> keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
> keycloak.cors-max-age=3600
> keycloak.expose-token=true
> keycloak.bearer-only=true
> keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
> keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
> keycloak.securityConstraints[0].securityCollections[0].patte
> rns[0]=/REMOVED
> keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
> keycloak.securityConstraints[1].securityCollections[0].authRoles[0]=DEVICE
> keycloak.securityConstraints[1].securityCollections[0].
> patterns[0]=/REMOVED/*
>
> So my questions are:
>
> 1. Would you expect to see this kind of high utilization with my test
> scenario?
>
> 2. Should the Keycloak Spring Boot adapter be reauthenticating with every
> request, as opposed to caching the authentication results for a short
> period of time, or just relying on normal HTTP sessions?
>
> Br,
> Alan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From alan.gibson at gmail.com  Tue Nov  8 09:06:41 2016
From: alan.gibson at gmail.com (Alan Gibson)
Date: Tue, 8 Nov 2016 15:06:41 +0100
Subject: [keycloak-user] Expose JGroups ports in Docker
	keycloak-ha-postgres
In-Reply-To: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>
References: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>
Message-ID: <CAD+Wi2SGxj8jUqyeBm_C2DkfzzeCw30UHndD6+0U659K7ft2dA@mail.gmail.com>

Hi Staffan,

We've got 3 clustered Keycloak nodes running in Docker with host (not
bridge) networking and managed by Mesos/Marathon. Cluster communications
run over UDP. We start them with the following command.

/opt/jboss/docker-entrypoint.sh
-Dkeycloak.migration.action={{keycloak_migration_action}}
-Dkeycloak.migration.provider={{keycloak_migration_provider}}
-Dkeycloak.migration.file={{keycloak_migration_file}}
-Dkeycloak.migration.strategy={{keycloak_migration_strategy}}
-Djboss.jgroups.stack={{keycloak_jgroups_stack}}
-Djboss.jgroups.udp.port={{keycloak_jgroups_udp_port}}
-Djboss.jgroups.udp.multicast.port={{keycloak_jgroups_udp_multicast_port}}
-Djboss.jgroups.udp.fd.port={{keycloak_jgroups_udp_fd_port}}
-Djboss.management.http.port=$PORT1 -Djboss.http.port=$PORT0
-Djboss.bind.address.private=$(hostname -i) -b 0.0.0.0 -bmanagement 0.0.0.0
--server-config standalone-ha.xml

keycloak_jgroups_stack: udp
keycloak_jgroups_udp_port: 5520
keycloak_jgroups_udp_multicast_port: 4568
keycloak_jgroups_udp_fd_port: 5420

The magic ingredient is using getting the jboss.bind.address.private
address from the shell with $(hostname -i). Note that this is definitely
not foolproof, so YMMV.

Br, Alan

On Tue, Nov 8, 2016 at 11:59 AM, Staffan <solsson at gmail.com> wrote:

> Hi,
>
> I've tried in different docker environments (compose, kubernetes,
> standalone) to get a HA setup running using https://hub.docker.com/r/
> jboss/keycloak-ha-postgres/.
>
> Keycloak nodes start, but are unaware of each other. I fail to reach the
> JGroups ports from any other container or host system. That is expected, as
> https://keycloak.gitbooks.io/server-installation-and-
> configuration/content/v/2.3/topics/clustering/multicast.html
> advises you to configure jboss.bind.address.private.
>
> But when I try -Djboss.bind.address.private=0.0.0.0 there's an error
> during
> startup:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
> 0.0.0.0 is not a valid address on any local network interface
>     at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
> ChannelBuilder.java:80)
> Caused by: java.security.PrivilegedActionException:
> java.net.BindException:
> [UDP] /0.0.0.0 is not a valid address on any local network interface
>     at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
> WildFlySecurityManager.java:640)
> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
> on
> any local network interface
>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>
> ... or if I switch to stack="tcp" in the jgroups subsystem:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
> 0.0.0.0 is not a valid address on any local network interface
>
> I guess this is a generic Wildfly topic, but I'm curious how the official
> Keycloak docker containers are tested. In a docker environment, what can we
> bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
> "privileged action"?
>
> regards
> Staffan Olsson
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From michael_furman at hotmail.com  Tue Nov  8 10:10:07 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Tue, 8 Nov 2016 15:10:07 +0000
Subject: [keycloak-user] Can not authenticate user using Spring
	Security	Adapter
In-Reply-To: <AM5PR0701MB2530230878AD58973D850654F4A70@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530230878AD58973D850654F4A70@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <AM5PR0701MB253085EA190A56951FE9CE1BF4A60@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi all,

Can anybody help with this issue?

Probably I miss something small.


I do success to work with mod-auth-openidc and mitreid clients.


Probably I miss something small and I really need your help.

Best regards,

    Michael



________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Michael Furman <michael_furman at hotmail.com>
Sent: Monday, November 7, 2016 4:49 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Can not authenticate user using Spring Security Adapter

Hi,
I will appreciate your help on the issue below.
I try to configure Spring Security Adapter (version 2.3.0.Final):
https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html
Spring Security Adapter | Securing Applications and ...<https://keycloak.gitbooks.io/securing-client-applications-guide/content/topics/oidc/java/spring-security-adapter.html>
keycloak.gitbooks.io
To secure an application with Spring Security and Keycloak, add this adapter as a dependency to your project. You then have to provide some extra beans in your Spring ...



I suppose that Keycloak uses the static client registration since when I tries to connect without the client configuration in Keycloak I get the following:
16:15:43,174 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=st_1, userId=null, ipAddress=192.168.111.33, error=client_not_found

Please note that I was able to connect to Keycloak using non Keycloak OIDC client using the following configuration:
a) clientId
b) clientSecret
c) Scopes
d) redirectUris

Therefore I have configured the client at Keycloak using the same information.
I am not sure what is "Valid Redirect URIs" and I have configured the following value:
http://192.168.110.2:8081/app/sso/login
Now client redirects to Keycloak IDP using this URL
http://192.168.110.2:8080/auth/realms/master/protocol/openid-connect/auth?response_type=code&client_id=testclient&redirect_uri=http%3A%2F%2F192.168.110.2%3A8081%2Fapp%2Fsso%2Flogin&state=10%2Fc0079a4b-e896-4400-9357-77fdacde9a56&login=true&scope=openid

I authenticate the user and IDP returns URL back to the client using this URL:
http://192.168.110.2:8081/app/sso/login?state=14%2F9a4376fa-06e2-4188-a616-a182363dab3a&code=JzKXHOm7jRp5pkfT6GT6rRPZ5HOcZyGEB5uA-fjrk1I.7d91a145-76a5-4bc4-960f-f4a67f242fba

Unfortunately then I have the endless loop.
While I debug KeycloakAuthenticationProcessingFilter I see that AuthOutcome get value NOT_ATTEMPTED and it cause additional redirect to IDP.
What I missed?
I have opened the bug https://issues.jboss.org/browse/KEYCLOAK-3868 with attached json file and Spring Security configuration.

Best regards,
  Michael

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From bepittman at amplify.com  Tue Nov  8 11:05:46 2016
From: bepittman at amplify.com (Ben Pittman)
Date: Tue, 8 Nov 2016 11:05:46 -0500
Subject: [keycloak-user] Possible to create a
 SecurityIdentityProviderFactory with custom provider?
In-Reply-To: <CAJgngAckDmgHgLqj9=OBcr2MA0yu=ubLceofF3kuVvvfj672KQ@mail.gmail.com>
References: <CAHft2WE0TfnZCR9Qzf-RAOvfzJLvZcoQNRh7NUuYbVTm2hNe3A@mail.gmail.com>
	<CAJgngAckDmgHgLqj9=OBcr2MA0yu=ubLceofF3kuVvvfj672KQ@mail.gmail.com>
Message-ID: <CAHft2WG6Xxi5d4-Tq=O12jY57NUnjSJNR=m_Y1a0N_ukmscH9g@mail.gmail.com>

Thanks for the reply Stian,

I work in the education industry and I'm creating a SocialIdentityProvider
to integrate with a company called Clever.  They're big in education but
little known outside it.  I'm more than happy to contribute it if you think
it would add value.

On Tue, Nov 8, 2016 at 2:08 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> No such thing as a SecurityIdentityProvider. You want to create a
> provider of SocialIdentityProvider. For example take a look at the Google
> provider:
>
> https://github.com/keycloak/keycloak/blob/292777259e65a78b1df0bfd8578a2f
> f8bc22fc21/services/src/main/java/org/keycloak/social/
> google/GoogleIdentityProvider.java
>
> What social provider are you adding? Maybe you'd like to contribute it to
> us if it's a well known one.
>
> On 7 November 2016 at 19:50, Ben Pittman <bepittman at amplify.com> wrote:
>
>> I'm running Keycloak 1.9.8.Final.  I just want to add another social
>> provider with some custom logic (boilerplate OpenID won't work in my
>> case).  I've registered my module that
>> overrides SecurityIdentityProviderFactory and provided my own Provider
>> and
>> Factory classes but get a 'resource not found' when I try and access the
>> provider from the Keycloak UI.
>>
>> I've also tried adding my own LoginProtocolFactory module and I see it get
>> registered on startup but there is no item for it in the 'add provider'
>> identity drop-down.....
>>
>> Is what I'm trying to do just not possible?  Or is there something obvious
>> I'm missing outside of registering modules above to get this to work?
>>
>> Regards,
>> Ben
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From niko at n-k.de  Tue Nov  8 11:11:17 2016
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Tue, 8 Nov 2016 17:11:17 +0100
Subject: [keycloak-user] High Utilization with Keycloak Spring Boot
 adapter
In-Reply-To: <CAD+Wi2QV1VYkvE6kt6RMmDa-mhgZoWpLx6rhD8yn=4kUc128Zw@mail.gmail.com>
References: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>
	<CAPyAMoZh0GrCOe=sBKC6G2Pp0LVbzwLUy9UTUEBC4PAEK83KCA@mail.gmail.com>
	<CAD+Wi2QV1VYkvE6kt6RMmDa-mhgZoWpLx6rhD8yn=4kUc128Zw@mail.gmail.com>
Message-ID: <7C8C01B3-65FC-4EAA-9D4A-B1C9E1D76832@n-k.de>

Using BasicAuth in a Microservice architecture is IMHO bad design.
This is where the Bearer-Token comes in - just use this for authorization and you don?t have to authenticate every request with KC server!
Additionally you don?t need any sessions in your application.


> Am 08.11.2016 um 14:59 schrieb Alan Gibson <alan.gibson at gmail.com>:
> 
> Thanks for the info Thomas. Can you clarify what you mean by "rely on the
> HttpSession for the subsequent ones"? I've got Spring Session configured in
> the Spring Boot service, but that doesn't seem to make any difference.
> 
>    <dependency>
>        <groupId>org.springframework.session</groupId>
>  <artifactId>spring-session</artifactId>
>    </dependency>
> 
>    @EnableSpringHttpSession
>    @Configuration
>    public class SpringHttpSessionConfig {
> @Bean
> public MapSessionRepository sessionRepository() {
>       return new MapSessionRepository();
> }
>    }
> 
> AFAIK, the Basic auth header is supposed to be sent with every HTTP
> request. So if every request with Basic auth headers results in a new SSO
> session within Keycloak, then it would seem that there is no (standards
> compliant) way to use Basic auth without hammering Keycloak and opening
> loads of sessions.
> 
> I assume I'm missing something really obvious here, but I can't think of
> what. Does keycloak-spring-boot-adapter just not work as a transparent
> 'proxy' for Basic auth this way?
> 
> Br, Alan
> 
> On Tue, Nov 8, 2016 at 6:02 AM, Thomas Raehalme <
> thomas.raehalme at aitiofinland.com> wrote:
> 
>> Hi!
>> 
>> With direct access grants and Basic auth you should authenticate with the
>> first request, then rely on the HttpSession for the subsequent ones. Every
>> request with the Basic auth header opens a new SSO session within Keycloak.
>> 
>> Best regards,
>> Thomas
>> 
>> On Nov 7, 2016 11:33 PM, "Alan Gibson" <alan.gibson at gmail.com> wrote:
>> 
>> Hello all,
>> 
>> During load testing the REST API of a Spring Boot based microservice, we
>> noticed that Keycloak was forming a huge bottleneck. We had 3 instances of
>> Keycloak (running in clustered mode), each of which was consuming 100% of 8
>> Xeon CPUs, while only hitting about 80 API calls per second. The load test
>> itself used 800 concurrent users, each doing 1 HTTP request every 100
>> milliseconds.
>> 
>> It looks like every time a POST is made to the REST API, Spring Boot makes
>> a call to Keycloak to (re)authenticate the user. The Keycloak logs are
>> filled with:
>> 
>> 2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid-
>> connect/token
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> AUTHENTICATE CLIENT
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> client authenticator: client-secret
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> client authenticator SUCCESS: client-secret
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> Client devicereportreceiver authenticated by client-secret
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> AUTHENTICATE ONLY
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> processFlow
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> check execution: direct-grant-validate-username requirement: REQUIRED
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> authenticator: direct-grant-validate-username
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> invoke authenticator.authenticate
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> authenticator SUCCESS: direct-grant-validate-username
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> check execution: direct-grant-validate-password requirement: REQUIRED
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> authenticator: direct-grant-validate-password
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> invoke authenticator.authenticate
>> 2016-11-06 11:48:07,821 DEBUG
>> [org.hibernate.engine.transaction.internal.TransactionImpl]
>> (default task-74) begin
>> 2016-11-06 11:48:07,821 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
>> (default task-74) KeycloakDS: getConnection(null,
>> WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>> authenticator SUCCESS: direct-grant-validate-password
>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>> check execution: direct-grant-validate-otp requirement: OPTIONAL
>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>> authenticator: direct-grant-validate-otp
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> invoke authenticator.authenticate
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> authenticator ATTEMPTED: direct-grant-validate-otp
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> Using full scope for client
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> Using full scope for client
>> 2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
>> type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
>> ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
>> grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED,
>> client_auth_method=client-secret, username=REMOVED
>> 2016-11-06 11:48:09,739 DEBUG
>> [org.hibernate.engine.transaction.internal.TransactionImpl]
>> (default task-74) committing
>> 2016-11-06 11:48:09,751 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
>> (default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]
>> 
>> The Spring Boot application.properties looks like
>> 
>> keycloak.realm=REMOVED
>> keycloak.realmKey=REMOVED
>> keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
>> keycloak.ssl-required=none
>> keycloak.resource=REMOVED
>> #keycloak.use-resource-role-mappings=true
>> keycloak.enable-basic-auth=true
>> keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
>> keycloak.cors=true
>> keycloak.cors-allowed-headers=x-requested-with,origin,content-type,accept,
>> authorization
>> keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
>> keycloak.cors-max-age=3600
>> keycloak.expose-token=true
>> keycloak.bearer-only=true
>> keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
>> keycloak.securityConstraints[0].securityCollections[0].patte
>> rns[0]=/REMOVED
>> keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
>> keycloak.securityConstraints[1].securityCollections[0].authRoles[0]=DEVICE
>> keycloak.securityConstraints[1].securityCollections[0].
>> patterns[0]=/REMOVED/*
>> 
>> So my questions are:
>> 
>> 1. Would you expect to see this kind of high utilization with my test
>> scenario?
>> 
>> 2. Should the Keycloak Spring Boot adapter be reauthenticating with every
>> request, as opposed to caching the authentication results for a short
>> period of time, or just relying on normal HTTP sessions?
>> 
>> Br,
>> Alan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From thomas.raehalme at aitiofinland.com  Tue Nov  8 11:31:23 2016
From: thomas.raehalme at aitiofinland.com (Thomas Raehalme)
Date: Tue, 8 Nov 2016 18:31:23 +0200
Subject: [keycloak-user] High Utilization with Keycloak Spring Boot
	adapter
In-Reply-To: <CAD+Wi2QV1VYkvE6kt6RMmDa-mhgZoWpLx6rhD8yn=4kUc128Zw@mail.gmail.com>
References: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>
	<CAPyAMoZh0GrCOe=sBKC6G2Pp0LVbzwLUy9UTUEBC4PAEK83KCA@mail.gmail.com>
	<CAD+Wi2QV1VYkvE6kt6RMmDa-mhgZoWpLx6rhD8yn=4kUc128Zw@mail.gmail.com>
Message-ID: <CAPyAMobzmP5zs=ec8jRnktRzRB+DMGa27fako=vqW6soQPJLrg@mail.gmail.com>

Hi!

I meant that the client should store the cookie set by the server after the
first request and include it in subsequent requests (instead of the Basic
auth header).

But as Niko wrote in his email you should consider using Bearer tokens for
much better performance. We are using spring-security-oauth2 [1] in our
projects as it provides a drop-in replacement for Spring's RestTemplate.

[1]
https://github.com/spring-projects/spring-security-oauth/tree/master/spring-security-oauth2

Best regards,
Thomas


On Tue, Nov 8, 2016 at 3:59 PM, Alan Gibson <alan.gibson at gmail.com> wrote:

> Thanks for the info Thomas. Can you clarify what you mean by "rely on the
> HttpSession for the subsequent ones"? I've got Spring Session configured in
> the Spring Boot service, but that doesn't seem to make any difference.
>
>     <dependency>
>         <groupId>org.springframework.session</groupId>
>   <artifactId>spring-session</artifactId>
>     </dependency>
>
>     @EnableSpringHttpSession
>     @Configuration
>     public class SpringHttpSessionConfig {
> @Bean
> public MapSessionRepository sessionRepository() {
>        return new MapSessionRepository();
> }
>     }
>
> AFAIK, the Basic auth header is supposed to be sent with every HTTP
> request. So if every request with Basic auth headers results in a new SSO
> session within Keycloak, then it would seem that there is no (standards
> compliant) way to use Basic auth without hammering Keycloak and opening
> loads of sessions.
>
> I assume I'm missing something really obvious here, but I can't think of
> what. Does keycloak-spring-boot-adapter just not work as a transparent
> 'proxy' for Basic auth this way?
>
> Br, Alan
>
> On Tue, Nov 8, 2016 at 6:02 AM, Thomas Raehalme <
> thomas.raehalme at aitiofinland.com> wrote:
>
>> Hi!
>>
>> With direct access grants and Basic auth you should authenticate with the
>> first request, then rely on the HttpSession for the subsequent ones. Every
>> request with the Basic auth header opens a new SSO session within Keycloak.
>>
>> Best regards,
>> Thomas
>>
>> On Nov 7, 2016 11:33 PM, "Alan Gibson" <alan.gibson at gmail.com> wrote:
>>
>> Hello all,
>>
>> During load testing the REST API of a Spring Boot based microservice, we
>> noticed that Keycloak was forming a huge bottleneck. We had 3 instances of
>> Keycloak (running in clustered mode), each of which was consuming 100% of
>> 8
>> Xeon CPUs, while only hitting about 80 API calls per second. The load test
>> itself used 800 concurrent users, each doing 1 HTTP request every 100
>> milliseconds.
>>
>> It looks like every time a POST is made to the REST API, Spring Boot makes
>> a call to Keycloak to (re)authenticate the user. The Keycloak logs are
>> filled with:
>>
>> 2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>> (default task-74) RESTEASY002315: PathInfo: /realms/proxy/protocol/openid-
>> connect/token
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> AUTHENTICATE CLIENT
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> client authenticator: client-secret
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> client authenticator SUCCESS: client-secret
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> Client devicereportreceiver authenticated by client-secret
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> AUTHENTICATE ONLY
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> processFlow
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> check execution: direct-grant-validate-username requirement: REQUIRED
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> authenticator: direct-grant-validate-username
>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>> invoke authenticator.authenticate
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> authenticator SUCCESS: direct-grant-validate-username
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> check execution: direct-grant-validate-password requirement: REQUIRED
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> authenticator: direct-grant-validate-password
>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>> invoke authenticator.authenticate
>> 2016-11-06 11:48:07,821 DEBUG
>> [org.hibernate.engine.transaction.internal.TransactionImpl]
>> (default task-74) begin
>> 2016-11-06 11:48:07,821 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
>> (default task-74) KeycloakDS: getConnection(null,
>> WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>> authenticator SUCCESS: direct-grant-validate-password
>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>> check execution: direct-grant-validate-otp requirement: OPTIONAL
>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>> authenticator: direct-grant-validate-otp
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> invoke authenticator.authenticate
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> authenticator ATTEMPTED: direct-grant-validate-otp
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> Using full scope for client
>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>> Using full scope for client
>> 2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
>> type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
>> ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
>> grant_type=password, refresh_token_type=Refresh, refresh_token_id=REMOVED,
>> client_auth_method=client-secret, username=REMOVED
>> 2016-11-06 11:48:09,739 DEBUG
>> [org.hibernate.engine.transaction.internal.TransactionImpl]
>> (default task-74) committing
>> 2016-11-06 11:48:09,751 DEBUG
>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
>> (default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]
>>
>> The Spring Boot application.properties looks like
>>
>> keycloak.realm=REMOVED
>> keycloak.realmKey=REMOVED
>> keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
>> keycloak.ssl-required=none
>> keycloak.resource=REMOVED
>> #keycloak.use-resource-role-mappings=true
>> keycloak.enable-basic-auth=true
>> keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
>> keycloak.cors=true
>> keycloak.cors-allowed-headers=x-requested-with,origin,conten
>> t-type,accept,
>> authorization
>> keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
>> keycloak.cors-max-age=3600
>> keycloak.expose-token=true
>> keycloak.bearer-only=true
>> keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
>> keycloak.securityConstraints[0].securityCollections[0].patte
>> rns[0]=/REMOVED
>> keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
>> keycloak.securityConstraints[1].securityCollections[0].authR
>> oles[0]=DEVICE
>> keycloak.securityConstraints[1].securityCollections[0].
>> patterns[0]=/REMOVED/*
>>
>> So my questions are:
>>
>> 1. Would you expect to see this kind of high utilization with my test
>> scenario?
>>
>> 2. Should the Keycloak Spring Boot adapter be reauthenticating with every
>> request, as opposed to caching the authentication results for a short
>> period of time, or just relying on normal HTTP sessions?
>>
>> Br,
>> Alan
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>

From alan.gibson at gmail.com  Tue Nov  8 12:05:16 2016
From: alan.gibson at gmail.com (Alan Gibson)
Date: Tue, 8 Nov 2016 18:05:16 +0100
Subject: [keycloak-user] High Utilization with Keycloak Spring Boot
	adapter
In-Reply-To: <CAPyAMobzmP5zs=ec8jRnktRzRB+DMGa27fako=vqW6soQPJLrg@mail.gmail.com>
References: <CAD+Wi2Qwhe2F46MX56YQSwuY_aZ0RW0--p0GL9gr6ShZQ1Gcbg@mail.gmail.com>
	<CAPyAMoZh0GrCOe=sBKC6G2Pp0LVbzwLUy9UTUEBC4PAEK83KCA@mail.gmail.com>
	<CAD+Wi2QV1VYkvE6kt6RMmDa-mhgZoWpLx6rhD8yn=4kUc128Zw@mail.gmail.com>
	<CAPyAMobzmP5zs=ec8jRnktRzRB+DMGa27fako=vqW6soQPJLrg@mail.gmail.com>
Message-ID: <CAD+Wi2QO97h=-KBKjiHSEqGeWHn7Xu=X6c0Sk=QB2W3v88oTGg@mail.gmail.com>

We'll definitely switch away from Basic auth in the future. But what I
didnt mention is that this REST api has only one client, which is a legacy
application. This app currently sends Basic auth headers with every
request. It will be several months before the resources are available to
update it. Thats why I was trying to find a reasonably performant
configuration on the REST api microservice side as a temporary hack.

>From the sound of it, I think the most expedient thing to do would be to
just set the Basic auth username and password properties in
application.properties until we get around to changing how auth works in
the legacy client.

On Nov 8, 2016 5:31 PM, "Thomas Raehalme" <thomas.raehalme at aitiofinland.com>
wrote:

> Hi!
>
> I meant that the client should store the cookie set by the server after
> the first request and include it in subsequent requests (instead of the
> Basic auth header).
>
> But as Niko wrote in his email you should consider using Bearer tokens for
> much better performance. We are using spring-security-oauth2 [1] in our
> projects as it provides a drop-in replacement for Spring's RestTemplate.
>
> [1] https://github.com/spring-projects/spring-security-
> oauth/tree/master/spring-security-oauth2
>
> Best regards,
> Thomas
>
>
> On Tue, Nov 8, 2016 at 3:59 PM, Alan Gibson <alan.gibson at gmail.com> wrote:
>
>> Thanks for the info Thomas. Can you clarify what you mean by "rely on the
>> HttpSession for the subsequent ones"? I've got Spring Session configured in
>> the Spring Boot service, but that doesn't seem to make any difference.
>>
>>     <dependency>
>>         <groupId>org.springframework.session</groupId>
>>   <artifactId>spring-session</artifactId>
>>     </dependency>
>>
>>     @EnableSpringHttpSession
>>     @Configuration
>>     public class SpringHttpSessionConfig {
>> @Bean
>> public MapSessionRepository sessionRepository() {
>>        return new MapSessionRepository();
>> }
>>     }
>>
>> AFAIK, the Basic auth header is supposed to be sent with every HTTP
>> request. So if every request with Basic auth headers results in a new SSO
>> session within Keycloak, then it would seem that there is no (standards
>> compliant) way to use Basic auth without hammering Keycloak and opening
>> loads of sessions.
>>
>> I assume I'm missing something really obvious here, but I can't think of
>> what. Does keycloak-spring-boot-adapter just not work as a transparent
>> 'proxy' for Basic auth this way?
>>
>> Br, Alan
>>
>> On Tue, Nov 8, 2016 at 6:02 AM, Thomas Raehalme <
>> thomas.raehalme at aitiofinland.com> wrote:
>>
>>> Hi!
>>>
>>> With direct access grants and Basic auth you should authenticate with
>>> the first request, then rely on the HttpSession for the subsequent ones.
>>> Every request with the Basic auth header opens a new SSO session within
>>> Keycloak.
>>>
>>> Best regards,
>>> Thomas
>>>
>>> On Nov 7, 2016 11:33 PM, "Alan Gibson" <alan.gibson at gmail.com> wrote:
>>>
>>> Hello all,
>>>
>>> During load testing the REST API of a Spring Boot based microservice, we
>>> noticed that Keycloak was forming a huge bottleneck. We had 3 instances
>>> of
>>> Keycloak (running in clustered mode), each of which was consuming 100%
>>> of 8
>>> Xeon CPUs, while only hitting about 80 API calls per second. The load
>>> test
>>> itself used 800 concurrent users, each doing 1 HTTP request every 100
>>> milliseconds.
>>>
>>> It looks like every time a POST is made to the REST API, Spring Boot
>>> makes
>>> a call to Keycloak to (re)authenticate the user. The Keycloak logs are
>>> filled with:
>>>
>>> 2016-11-06 11:48:07,819 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
>>> (default task-74) RESTEASY002315: PathInfo:
>>> /realms/proxy/protocol/openid-
>>> connect/token
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> AUTHENTICATE CLIENT
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> client authenticator: client-secret
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> client authenticator SUCCESS: client-secret
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> Client devicereportreceiver authenticated by client-secret
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> AUTHENTICATE ONLY
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> processFlow
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> check execution: direct-grant-validate-username requirement: REQUIRED
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> authenticator: direct-grant-validate-username
>>> 2016-11-06 11:48:07,820 DEBUG [org.keycloak.services] (default task-74)
>>> invoke authenticator.authenticate
>>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>>> authenticator SUCCESS: direct-grant-validate-username
>>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>>> check execution: direct-grant-validate-password requirement: REQUIRED
>>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>>> authenticator: direct-grant-validate-password
>>> 2016-11-06 11:48:07,821 DEBUG [org.keycloak.services] (default task-74)
>>> invoke authenticator.authenticate
>>> 2016-11-06 11:48:07,821 DEBUG
>>> [org.hibernate.engine.transaction.internal.TransactionImpl]
>>> (default task-74) begin
>>> 2016-11-06 11:48:07,821 DEBUG
>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
>>> (default task-74) KeycloakDS: getConnection(null,
>>> WrappedConnectionRequestInfo at 25df8309[userName=postgres]) [0/20]
>>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>>> authenticator SUCCESS: direct-grant-validate-password
>>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>>> check execution: direct-grant-validate-otp requirement: OPTIONAL
>>> 2016-11-06 11:48:09,560 DEBUG [org.keycloak.services] (default task-74)
>>> authenticator: direct-grant-validate-otp
>>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>>> invoke authenticator.authenticate
>>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>>> authenticator ATTEMPTED: direct-grant-validate-otp
>>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>>> Using full scope for client
>>> 2016-11-06 11:48:09,569 DEBUG [org.keycloak.services] (default task-74)
>>> Using full scope for client
>>> 2016-11-06 11:48:09,739 DEBUG [org.keycloak.events] (default task-74)
>>> type=LOGIN, realmId=REMOVED, clientId=REMOVED, userId=REMOVED,
>>> ipAddress=REMOVED, auth_method=openid-connect, token_id=REMOVED,
>>> grant_type=password, refresh_token_type=Refresh,
>>> refresh_token_id=REMOVED,
>>> client_auth_method=client-secret, username=REMOVED
>>> 2016-11-06 11:48:09,739 DEBUG
>>> [org.hibernate.engine.transaction.internal.TransactionImpl]
>>> (default task-74) committing
>>> 2016-11-06 11:48:09,751 DEBUG
>>> [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool]
>>> (default task-74) KeycloakDS: returnConnection(2aab4b06, false) [0/20]
>>>
>>> The Spring Boot application.properties looks like
>>>
>>> keycloak.realm=REMOVED
>>> keycloak.realmKey=REMOVED
>>> keycloak.auth-server-url=${KEYCLOAK_AUTHENTICATION_SERVER}
>>> keycloak.ssl-required=none
>>> keycloak.resource=REMOVED
>>> #keycloak.use-resource-role-mappings=true
>>> keycloak.enable-basic-auth=true
>>> keycloak.credentials.secret=${KEYCLOAK_CLIENT_SECRET}
>>> keycloak.cors=true
>>> keycloak.cors-allowed-headers=x-requested-with,origin,conten
>>> t-type,accept,
>>> authorization
>>> keycloak.cors-allowed-methods=GET,POST,DELETE,PUT,OPTIONS
>>> keycloak.cors-max-age=3600
>>> keycloak.expose-token=true
>>> keycloak.bearer-only=true
>>> keycloak.securityConstraints[0].securityCollections[0].name=REMOVED
>>> keycloak.securityConstraints[0].securityCollections[0].authRoles[0]=user
>>> keycloak.securityConstraints[0].securityCollections[0].patte
>>> rns[0]=/REMOVED
>>> keycloak.securityConstraints[1].securityCollections[0].name=REMOVED
>>> keycloak.securityConstraints[1].securityCollections[0].authR
>>> oles[0]=DEVICE
>>> keycloak.securityConstraints[1].securityCollections[0].
>>> patterns[0]=/REMOVED/*
>>>
>>> So my questions are:
>>>
>>> 1. Would you expect to see this kind of high utilization with my test
>>> scenario?
>>>
>>> 2. Should the Keycloak Spring Boot adapter be reauthenticating with every
>>> request, as opposed to caching the authentication results for a short
>>> period of time, or just relying on normal HTTP sessions?
>>>
>>> Br,
>>> Alan
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>
>
>

From guybowdler at dorsetnetworks.com  Tue Nov  8 13:22:23 2016
From: guybowdler at dorsetnetworks.com (Guy Bowdler)
Date: Tue, 08 Nov 2016 18:22:23 +0000
Subject: [keycloak-user] Is it possible to pass the keycoak headers back to
 NGINX reverse proxy
Message-ID: <ebefa552388f834d7c076ec78e77cc63@dorsetnetworks.com>

Hi, 

We have an NGINX proxy in DMZ sending requests back to a Keycloak
Security Proxy protecting an app in trust.  We previously had this the
other way round with the keycloak proxy in front of NGINX and were able
to log the keycloak headers in the NGINX access logs.  

However, we've since had to reverse this situation and the browser only
seems to have the keycloak cookie, hence the NGINX reverse proxy can't
log the usernames any more.  Is there a way to make the nginx reverse
proxy aware of the keycloak headers? 

Ideally I'd prefer to get NGINX to redirect to keycloak, instead of the
keycloak security proxy but it's a bit beyond me at the moment. 

thanks 

Guy

From carlosthe19916 at gmail.com  Tue Nov  8 14:10:08 2016
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Tue, 8 Nov 2016 14:10:08 -0500
Subject: [keycloak-user] How to Pass User Attributes on Bearer Only
	Application?
Message-ID: <CAAdSQ6gEnaAff2twjxLfKhs_z=UoZGcjgNw9Xbz_cCs0YNjeCg@mail.gmail.com>

Hi all. I have an Angular2 application(frontend) and a Restful(jax-rs) for
rest services. My Angular2 application has a *Public Client* Configuration
and my Rest Services has a* Bearer Only* Client Configuration. I'm trying
to get user attributes using this code:


HttpServletRequest request = servletRequest.get(); org.keycloak.
KeycloakPrincipal kcPrincipal = (org.keycloak.KeycloakPrincipal) request.
getUserPrincipal();
org.keycloak.representations.AccessToken accessToken = kcPrincipal.
getKeycloakSecurityContext().getToken();
Map<String, Object> otherClaims = accessToken.getOtherClaims();



The problem is that accessToken.getOtherClaims() doesn't return any data. *I
think that this happens because my rest application is BEARER ONLY*, but
i'm not sure.

Please help me, *I need to pass data using user attributes (Employe
Department for example). How could I solve my problem?*


*Thank you very much!!!*

-- 
Carlos E. Feria Vila

From glavoie at gmail.com  Tue Nov  8 15:23:07 2016
From: glavoie at gmail.com (Gabriel Lavoie)
Date: Tue, 8 Nov 2016 15:23:07 -0500
Subject: [keycloak-user] Infinispan state transfer timeout on startup +
 Serialization exception on the other node
Message-ID: <CAKp1Nw4HBnRJT3hcFtcp-WrzHKup6_rWrpgSxM8LBJdy+uzGZg@mail.gmail.com>

Hi Stian,
     during load/crash tests, we've encountered a few times the Infinispan
error described in the following ticket when restarting the "failed" node:
https://issues.jboss.org/browse/JBEAP-6002

As this would require an Infinispan update, do you think changing the
distributed cache to replicated caches could be an acceptable/tested
workaround?

Thanks!

Gabriel

-- 
Gabriel Lavoie
glavoie at gmail.com

From sthorger at redhat.com  Wed Nov  9 01:52:03 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 9 Nov 2016 07:52:03 +0100
Subject: [keycloak-user] Infinispan state transfer timeout on startup +
 Serialization exception on the other node
In-Reply-To: <CAKp1Nw4HBnRJT3hcFtcp-WrzHKup6_rWrpgSxM8LBJdy+uzGZg@mail.gmail.com>
References: <CAKp1Nw4HBnRJT3hcFtcp-WrzHKup6_rWrpgSxM8LBJdy+uzGZg@mail.gmail.com>
Message-ID: <CAJgngAffjgDyqhTV31B2-7scO3=vH23HftSHPzSTQne-aS+ZOg@mail.gmail.com>

We're waiting for an update to WildFly that includes a new Infinispan
release to get this fixed. In the mean time, depending on how many nodes
you have, yes using a replicated cache will work.

On 8 November 2016 at 21:23, Gabriel Lavoie <glavoie at gmail.com> wrote:

> Hi Stian,
>      during load/crash tests, we've encountered a few times the Infinispan
> error described in the following ticket when restarting the "failed" node:
> https://issues.jboss.org/browse/JBEAP-6002
>
> As this would require an Infinispan update, do you think changing the
> distributed cache to replicated caches could be an acceptable/tested
> workaround?
>
> Thanks!
>
> Gabriel
>
> --
> Gabriel Lavoie
> glavoie at gmail.com
>

From sthorger at redhat.com  Wed Nov  9 01:55:02 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 9 Nov 2016 07:55:02 +0100
Subject: [keycloak-user] Possible to create a
 SecurityIdentityProviderFactory with custom provider?
In-Reply-To: <CAHft2WG6Xxi5d4-Tq=O12jY57NUnjSJNR=m_Y1a0N_ukmscH9g@mail.gmail.com>
References: <CAHft2WE0TfnZCR9Qzf-RAOvfzJLvZcoQNRh7NUuYbVTm2hNe3A@mail.gmail.com>
	<CAJgngAckDmgHgLqj9=OBcr2MA0yu=ubLceofF3kuVvvfj672KQ@mail.gmail.com>
	<CAHft2WG6Xxi5d4-Tq=O12jY57NUnjSJNR=m_Y1a0N_ukmscH9g@mail.gmail.com>
Message-ID: <CAJgngAeGjKt+K9eQUjoF3CWCPQfxxj2+ZKS_+70XHPRtcw07tQ@mail.gmail.com>

That's a bit to specialized to include out of the box, but thanks for
offering

On 8 November 2016 at 17:05, Ben Pittman <bepittman at amplify.com> wrote:

> Thanks for the reply Stian,
>
> I work in the education industry and I'm creating a SocialIdentityProvider
> to integrate with a company called Clever.  They're big in education but
> little known outside it.  I'm more than happy to contribute it if you think
> it would add value.
>
> On Tue, Nov 8, 2016 at 2:08 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> No such thing as a SecurityIdentityProvider. You want to create a
>> provider of SocialIdentityProvider. For example take a look at the Google
>> provider:
>>
>> https://github.com/keycloak/keycloak/blob/292777259e65a78b1d
>> f0bfd8578a2ff8bc22fc21/services/src/main/java/org/keycloak/social/google/
>> GoogleIdentityProvider.java
>>
>> What social provider are you adding? Maybe you'd like to contribute it to
>> us if it's a well known one.
>>
>> On 7 November 2016 at 19:50, Ben Pittman <bepittman at amplify.com> wrote:
>>
>>> I'm running Keycloak 1.9.8.Final.  I just want to add another social
>>> provider with some custom logic (boilerplate OpenID won't work in my
>>> case).  I've registered my module that
>>> overrides SecurityIdentityProviderFactory and provided my own Provider
>>> and
>>> Factory classes but get a 'resource not found' when I try and access the
>>> provider from the Keycloak UI.
>>>
>>> I've also tried adding my own LoginProtocolFactory module and I see it
>>> get
>>> registered on startup but there is no item for it in the 'add provider'
>>> identity drop-down.....
>>>
>>> Is what I'm trying to do just not possible?  Or is there something
>>> obvious
>>> I'm missing outside of registering modules above to get this to work?
>>>
>>> Regards,
>>> Ben
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From cristi.cioriia at gmail.com  Wed Nov  9 08:25:21 2016
From: cristi.cioriia at gmail.com (Cristi Cioriia)
Date: Wed, 9 Nov 2016 15:25:21 +0200
Subject: [keycloak-user] Access token does not contain permissions key
Message-ID: <CAMAhWCTdOGT2s0XWvXj2+X-rXk95QfuF2cDb7WN4d0surgEY+g@mail.gmail.com>

Hi guys,

I've introspected an access key for one of my Keycloak applications and
noticed that it does not contain a permissions key in it (as decribed in
here:
https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.2/topics/service/protection/token-introspection.html),
but instead it contains a resource_access/Vertx-server/roles key. My
question is:what do I need to do in order to receive a permissions object
in the access token as described in the above document? The url I used for
retrieving the access token looks like this:

http://localhost:9090/auth/realms/master/protocol/openid-connect/token/introspect

My use case looks like this:

I do have in my Vertx-server application a role based policy that uses a
role named "employee" and a permission that protects one of my resources
using that role based policy. Then when my client application named Vert-x
client requests an access token to access the protected resource from the
Vertx-server, the access token looks like this:

{
  "jti": "565fbecf-1ef5-4059-9309-fe3fca5d74bd",
  "exp": 1478699031,
  "nbf": 0,
  "iat": 1478695431,
  "iss": "http://localhost:9090/auth/realms/master",
  "aud": "Vertex-client",
  "sub": "0ba24c3e-2fe6-49f2-80b1-08023a236cd6",
  "typ": "Bearer",
  "azp": "Vertex-client",
  "auth_time": 1478695431,
  "session_state": "6e262177-dfd3-498f-a1f2-7a09bd04ff42",
  "name": "",
  "preferred_username": "admin",
  "acr": "1",
  "client_session": "9fc92504-a541-4757-8960-19d7f5457384",
  "allowed-origins": [
    "http://localhost:8282"
  ],
  "realm_access": {
    "roles": [
      "create-realm",
      "admin",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "Vertex-server": {
      "roles": [
        "employee"
      ]
    },
    "master-realm": {
      "roles": [
        "view-identity-providers",
        "view-realm",
        "manage-identity-providers",
        "impersonation",
        "create-client",
        "manage-users",
        "view-authorization",
        "manage-events",
        "manage-realm",
        "view-events",
        "view-users",
        "view-clients",
        "manage-authorization",
        "manage-clients"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "view-profile"
      ]
    }
  },
  "client_id": "Vertex-client",
  "username": "admin",
  "active": true
}

Thanks,
Cristi

From bburke at redhat.com  Wed Nov  9 08:34:46 2016
From: bburke at redhat.com (Bill Burke)
Date: Wed, 9 Nov 2016 08:34:46 -0500
Subject: [keycloak-user] Infinispan state transfer timeout on startup +
 Serialization exception on the other node
In-Reply-To: <CAJgngAffjgDyqhTV31B2-7scO3=vH23HftSHPzSTQne-aS+ZOg@mail.gmail.com>
References: <CAKp1Nw4HBnRJT3hcFtcp-WrzHKup6_rWrpgSxM8LBJdy+uzGZg@mail.gmail.com>
	<CAJgngAffjgDyqhTV31B2-7scO3=vH23HftSHPzSTQne-aS+ZOg@mail.gmail.com>
Message-ID: <fac046f0-00c5-5ecb-d0c8-56b94d066e67@redhat.com>

Is this going to be reflected in product?  If not, we can't really 
depend on any new Infinispan interface and have to go with the Wildfly 
version product is based on, IMO.


On 11/9/16 1:52 AM, Stian Thorgersen wrote:
> We're waiting for an update to WildFly that includes a new Infinispan
> release to get this fixed. In the mean time, depending on how many nodes
> you have, yes using a replicated cache will work.
>
> On 8 November 2016 at 21:23, Gabriel Lavoie <glavoie at gmail.com> wrote:
>
>> Hi Stian,
>>       during load/crash tests, we've encountered a few times the Infinispan
>> error described in the following ticket when restarting the "failed" node:
>> https://issues.jboss.org/browse/JBEAP-6002
>>
>> As this would require an Infinispan update, do you think changing the
>> distributed cache to replicated caches could be an acceptable/tested
>> workaround?
>>
>> Thanks!
>>
>> Gabriel
>>
>> --
>> Gabriel Lavoie
>> glavoie at gmail.com
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From GEORGIOS.GEORGOBASILES at ALLIANZ.DE  Wed Nov  9 08:36:37 2016
From: GEORGIOS.GEORGOBASILES at ALLIANZ.DE (Georgobasiles, Georgios (AMOS SE))
Date: Wed, 9 Nov 2016 13:36:37 +0000
Subject: [keycloak-user] How does conditional OTP form work?
Message-ID: <3c5ae7b9f6ca47edb561df3b35b9d545@dee111ash000027.wwg00m.rootdom.net>

Dear all,
I?m trying out a scenario where users are forced into different login flows depending on their browser?s user agent HTTP header: all users have to log in over a SAML IP and, in addition, users who don?t use IE need to go through an OTP form.

I?ve set up a SAML IP with a post login flow that consists of a single ?Conditional OTP Form? execution. For test purposes, the only condition in that execution is a ?Skip OTP for Header? which is ?User-Agent:.*MSIE.*? with a fallback OTP handling to ?force?.

I noticed that when the execution is marked as ?required?, an OTP form is always shown to the user regardless of their browser?s user agent and when it?s marked as ?optional?, the user never gets to see the OTP form, so it looks like the condition on the HTTP header is always ignored. What am I missing?



version: 2.3.0 final

From sthorger at redhat.com  Wed Nov  9 08:41:51 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 9 Nov 2016 14:41:51 +0100
Subject: [keycloak-user] Infinispan state transfer timeout on startup +
 Serialization exception on the other node
In-Reply-To: <fac046f0-00c5-5ecb-d0c8-56b94d066e67@redhat.com>
References: <CAKp1Nw4HBnRJT3hcFtcp-WrzHKup6_rWrpgSxM8LBJdy+uzGZg@mail.gmail.com>
	<CAJgngAffjgDyqhTV31B2-7scO3=vH23HftSHPzSTQne-aS+ZOg@mail.gmail.com>
	<fac046f0-00c5-5ecb-d0c8-56b94d066e67@redhat.com>
Message-ID: <CAJgngAdXn+Af=+44i6RfLo5Wng=VdDBqxsmhPm+joQ6VWJFysQ@mail.gmail.com>

We're not upgrading Infinispan ourselves if that's what you are commenting
on. These are just bug fixes that have been backported to EAP 7.0.4 just
for us.

On 9 November 2016 at 14:34, Bill Burke <bburke at redhat.com> wrote:

> Is this going to be reflected in product?  If not, we can't really
> depend on any new Infinispan interface and have to go with the Wildfly
> version product is based on, IMO.
>
>
> On 11/9/16 1:52 AM, Stian Thorgersen wrote:
> > We're waiting for an update to WildFly that includes a new Infinispan
> > release to get this fixed. In the mean time, depending on how many nodes
> > you have, yes using a replicated cache will work.
> >
> > On 8 November 2016 at 21:23, Gabriel Lavoie <glavoie at gmail.com> wrote:
> >
> >> Hi Stian,
> >>       during load/crash tests, we've encountered a few times the
> Infinispan
> >> error described in the following ticket when restarting the "failed"
> node:
> >> https://issues.jboss.org/browse/JBEAP-6002
> >>
> >> As this would require an Infinispan update, do you think changing the
> >> distributed cache to replicated caches could be an acceptable/tested
> >> workaround?
> >>
> >> Thanks!
> >>
> >> Gabriel
> >>
> >> --
> >> Gabriel Lavoie
> >> glavoie at gmail.com
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From juraci at kroehling.de  Wed Nov  9 08:43:51 2016
From: juraci at kroehling.de (=?UTF-8?Q?Juraci_Paix=c3=a3o_Kr=c3=b6hling?=)
Date: Wed, 9 Nov 2016 14:43:51 +0100
Subject: [keycloak-user] Client Registration and OpenShift
Message-ID: <4e6e8aa5-19fc-a2fe-efab-ec624ca7559d@kroehling.de>

Hello,

Has anyone performed any work around automating client registrations in 
the context of OpenShift applications? I'm automating the setup of 
Hawkular APM for OpenShift, and I would like to add an option to "plug" 
Keycloak to the mix. The first idea is to create a Keycloak server on 
the namespace/project and use a wrapper script on APM's standalone.sh to 
call /auth/realms/master/clients-registrations/default, saving the 
client information then to the standalone.xml. If someone has done 
something like this before, I'd like to chat a bit before I go forward 
with this option.

- Juca.

From solsson at gmail.com  Wed Nov  9 08:54:04 2016
From: solsson at gmail.com (Staffan)
Date: Wed, 9 Nov 2016 14:54:04 +0100
Subject: [keycloak-user] Expose JGroups ports in Docker
	keycloak-ha-postgres
In-Reply-To: <CAD+Wi2SGxj8jUqyeBm_C2DkfzzeCw30UHndD6+0U659K7ft2dA@mail.gmail.com>
References: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>
	<CAD+Wi2SGxj8jUqyeBm_C2DkfzzeCw30UHndD6+0U659K7ft2dA@mail.gmail.com>
Message-ID: <CAFvEW4ZOg=A1AaYWc+=LJ1hF_gLn2bmLMK1PoVH9CPtzP3pO3A@mail.gmail.com>

I have verified that `hostname -i` works with Minikube, but not yet a
multi-node cluster.

Created PR https://github.com/jboss-dockerfiles/keycloak/pull/59 for the
official HA docker image.

Is the following warning in keycloak logs something that affects clustering?

WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 49) WFLYTX0013: Node
identifier property is set to the default value. Please make sure it is
unique.

It can be remedied using
https://github.com/Reposoft/keycloak-ha-kubernetes/commit/413665f0c0827f8fa35379cc1f78098124290cd8
but I have avoided config file changes.

/Staffan

On Tue, Nov 8, 2016 at 3:06 PM, Alan Gibson <alan.gibson at gmail.com> wrote:

> Hi Staffan,
>
> We've got 3 clustered Keycloak nodes running in Docker with host (not
> bridge) networking and managed by Mesos/Marathon. Cluster communications
> run over UDP. We start them with the following command.
>
> /opt/jboss/docker-entrypoint.sh -Dkeycloak.migration.action={{keycloak_migration_action}}
> -Dkeycloak.migration.provider={{keycloak_migration_provider}}
> -Dkeycloak.migration.file={{keycloak_migration_file}}
> -Dkeycloak.migration.strategy={{keycloak_migration_strategy}}
> -Djboss.jgroups.stack={{keycloak_jgroups_stack}}
> -Djboss.jgroups.udp.port={{keycloak_jgroups_udp_port}}
> -Djboss.jgroups.udp.multicast.port={{keycloak_jgroups_udp_multicast_port}}
> -Djboss.jgroups.udp.fd.port={{keycloak_jgroups_udp_fd_port}}
> -Djboss.management.http.port=$PORT1 -Djboss.http.port=$PORT0
> -Djboss.bind.address.private=$(hostname -i) -b 0.0.0.0 -bmanagement
> 0.0.0.0 --server-config standalone-ha.xml
>
> keycloak_jgroups_stack: udp
> keycloak_jgroups_udp_port: 5520
> keycloak_jgroups_udp_multicast_port: 4568
> keycloak_jgroups_udp_fd_port: 5420
>
> The magic ingredient is using getting the jboss.bind.address.private
> address from the shell with $(hostname -i). Note that this is definitely
> not foolproof, so YMMV.
>
> Br, Alan
>
> On Tue, Nov 8, 2016 at 11:59 AM, Staffan <solsson at gmail.com> wrote:
>
>> Hi,
>>
>> I've tried in different docker environments (compose, kubernetes,
>> standalone) to get a HA setup running using https://hub.docker.com/r/
>> jboss/keycloak-ha-postgres/
>> <https://hub.docker.com/r/jboss/keycloak-ha-postgres/>.
>>
>> Keycloak nodes start, but are unaware of each other. I fail to reach the
>> JGroups ports from any other container or host system. That is expected,
>> as
>> https://keycloak.gitbooks.io/server-installation-and-configu
>> ration/content/v/2.3/topics/clustering/multicast.html
>> advises you to configure jboss.bind.address.private.
>>
>> But when I try -Djboss.bind.address.private=0.0.0.0 there's an error
>> during
>> startup:
>>
>> MSC000001: Failed to start service jboss.jgroups.channel.ee:
>> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
>> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
>> 0.0.0.0 is not a valid address on any local network interface
>>     at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
>> ChannelBuilder.java:80)
>> Caused by: java.security.PrivilegedActionException:
>> java.net.BindException:
>> [UDP] /0.0.0.0 is not a valid address on any local network interface
>>     at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
>> WildFlySecurityManager.java:640)
>> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
>> on
>> any local network interface
>>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>>
>> ... or if I switch to stack="tcp" in the jgroups subsystem:
>>
>> MSC000001: Failed to start service jboss.jgroups.channel.ee:
>> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
>> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
>> 0.0.0.0 is not a valid address on any local network interface
>>
>> I guess this is a generic Wildfly topic, but I'm curious how the official
>> Keycloak docker containers are tested. In a docker environment, what can
>> we
>> bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
>> "privileged action"?
>>
>> regards
>> Staffan Olsson
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From sthorger at redhat.com  Wed Nov  9 09:10:08 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 9 Nov 2016 15:10:08 +0100
Subject: [keycloak-user] How does conditional OTP form work?
In-Reply-To: <3c5ae7b9f6ca47edb561df3b35b9d545@dee111ash000027.wwg00m.rootdom.net>
References: <3c5ae7b9f6ca47edb561df3b35b9d545@dee111ash000027.wwg00m.rootdom.net>
Message-ID: <CAJgngAf4hzN-_9FtRKWZUtCrifc2iGeS7n=WgsBqZrFUiUTP8Q@mail.gmail.com>

We're currently looking at the conditional otp form as it seems to be
broken. The way it should work is if it's required it's required only if
otp is required depending on roles and headers. If it's optional it should
only be required if user has configured OTP.

On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
GEORGIOS.GEORGOBASILES at allianz.de> wrote:

> Dear all,
> I?m trying out a scenario where users are forced into different login
> flows depending on their browser?s user agent HTTP header: all users have
> to log in over a SAML IP and, in addition, users who don?t use IE need to
> go through an OTP form.
>
> I?ve set up a SAML IP with a post login flow that consists of a single
> ?Conditional OTP Form? execution. For test purposes, the only condition in
> that execution is a ?Skip OTP for Header? which is ?User-Agent:.*MSIE.*?
> with a fallback OTP handling to ?force?.
>
> I noticed that when the execution is marked as ?required?, an OTP form is
> always shown to the user regardless of their browser?s user agent and when
> it?s marked as ?optional?, the user never gets to see the OTP form, so it
> looks like the condition on the HTTP header is always ignored. What am I
> missing?
>
>
>
> version: 2.3.0 final
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From emorny at gmail.com  Wed Nov  9 11:21:07 2016
From: emorny at gmail.com (Edem Morny)
Date: Wed, 9 Nov 2016 16:21:07 +0000
Subject: [keycloak-user] Jackson Exception updating user password via REST
Message-ID: <CAKvZ_AFhXOV3H1WRA2HRcObPNOhTJ1z2+zM+gM=j4sx7aq+hhg@mail.gmail.com>

Hi,

I recently upgraded from Keycloak 1.5 to 2.3.0.Final, and my previously
working invocations of the "update password" REST API now fails on the
Keycloak server with the following exception on the keycloak output.


16:09:50,970 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-65) RESTEASY002005: Failed executing PUT
/admin/realms/caewex/users/011aa181-45cd-4e34-95c1-5f0f23674b42/reset-password:
org.jboss.resteasy.spi.ReaderException:
com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException:
Unrecognized field "config" (class
org.keycloak.representations.idm.CredentialRepresentation), not marked as
ignorable (12 known properties: "period", "hashIterations", "digits",
"hashedSaltedValue", "algorithm", "value", "temporary", "device",
"createdDate", "salt", "type", "counter"])
 at [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 157c188d;
line: 1, column: 213] (through reference chain:
org.keycloak.representations.idm.CredentialRepresentation["config"])


Any idea what I might be doing wrong?

From thomas.darimont at googlemail.com  Wed Nov  9 11:42:09 2016
From: thomas.darimont at googlemail.com (Thomas Darimont)
Date: Wed, 9 Nov 2016 17:42:09 +0100
Subject: [keycloak-user] How does conditional OTP form work?
In-Reply-To: <CAJgngAf4hzN-_9FtRKWZUtCrifc2iGeS7n=WgsBqZrFUiUTP8Q@mail.gmail.com>
References: <3c5ae7b9f6ca47edb561df3b35b9d545@dee111ash000027.wwg00m.rootdom.net>
	<CAJgngAf4hzN-_9FtRKWZUtCrifc2iGeS7n=WgsBqZrFUiUTP8Q@mail.gmail.com>
Message-ID: <CAK-7U1gBatK+c2U1=UO4hQ=5r5PvPLGg=PCCAUNOMci_gmss0g@mail.gmail.com>

Hello,

strange that the conditional OTP currently doesn't for you, when I wrote it
a few months back it worked quite well for us.
I didn't look at it for a while since I'm using a slightly different
authentication logic now which doesn't require the CondOTP anymore.

Let me know if I can help :)

Cheers,
Thomas

2016-11-09 15:10 GMT+01:00 Stian Thorgersen <sthorger at redhat.com>:

> We're currently looking at the conditional otp form as it seems to be
> broken. The way it should work is if it's required it's required only if
> otp is required depending on roles and headers. If it's optional it should
> only be required if user has configured OTP.
>
> On 9 November 2016 at 14:36, Georgobasiles, Georgios (AMOS SE) <
> GEORGIOS.GEORGOBASILES at allianz.de> wrote:
>
> > Dear all,
> > I?m trying out a scenario where users are forced into different login
> > flows depending on their browser?s user agent HTTP header: all users have
> > to log in over a SAML IP and, in addition, users who don?t use IE need to
> > go through an OTP form.
> >
> > I?ve set up a SAML IP with a post login flow that consists of a single
> > ?Conditional OTP Form? execution. For test purposes, the only condition
> in
> > that execution is a ?Skip OTP for Header? which is ?User-Agent:.*MSIE.*?
> > with a fallback OTP handling to ?force?.
> >
> > I noticed that when the execution is marked as ?required?, an OTP form is
> > always shown to the user regardless of their browser?s user agent and
> when
> > it?s marked as ?optional?, the user never gets to see the OTP form, so it
> > looks like the condition on the HTTP header is always ignored. What am I
> > missing?
> >
> >
> >
> > version: 2.3.0 final
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From java at neposoft.com  Wed Nov  9 11:43:22 2016
From: java at neposoft.com (java_os)
Date: Wed, 9 Nov 2016 11:43:22 -0500
Subject: [keycloak-user] NPE - logout
Message-ID: <329bacbc7cfa1b81be24d20eee883c1a.squirrel@neposoft.com>

Hi - nullppointer on logout call
2.2.1.Final and 2.3.0.Final - Nullpointer when logging out using
keycloak.js (setup: Ng(keycloak.js) -> Rest. Idp login through KC identity
brokering to saml).
Below is the stacktrace - how do I logout from the SAML bridge? login works.
------------read NPE at the bottom ---
Anyone experienced this? It's happening on logout:

11:32:55,052 ERROR [io.undertow.request] (default task-9) UT005023:
Exception handling request to
/auth/realms/EDITED/protocol/openid-connect/logout:
org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
java.lang.NullPointerException
        at
org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
        at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
        at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: java.lang.NullPointerException
        at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:180)
        at
org.keycloak.services.managers.AuthenticationManager.browserLogout(AuthenticationManager.java:254)
        at
org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.logout(LogoutEndpoint.java:142)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
        ... 37 more
Caused by: java.lang.NullPointerException
        at java.net.URI$Parser.parse(URI.java:3042)
        at java.net.URI.<init>(URI.java:588)
        at java.net.URI.create(URI.java:850)
        at
org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(SAML2LogoutRequestBuilder.java:89)
        at
org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(SAML2LogoutRequestBuilder.java:78)
        at
org.keycloak.broker.saml.SAMLIdentityProvider.keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178)
        ... 51 more




From schwartzbj17 at gmail.com  Wed Nov  9 11:45:29 2016
From: schwartzbj17 at gmail.com (schwartzbj17 at gmail.com)
Date: Wed, 9 Nov 2016 10:45:29 -0600
Subject: [keycloak-user] automatic user cleanup with UserSessionProvider SPI
Message-ID: <582352a9.0130ed0a.10866.1713@mx.google.com>

Is there a way using one of the service provider interfaces to automatically delete users when the user session expires?  I tried the UserSessionProvider, but am not sure how to install it and have Keycloak use it.  I tried installing it in the providers folder to no avail.   I tried installing it as a module to no avail.  Anyone have a working example of this provider?

I?ve successfully built and installed other SPIs without issue, but those had working examples in the keycloak documentation and/or GitHub.

I?m using Keycloak 2.3.0.Final




---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

From RLaghuvaram at contractor.lb.com  Wed Nov  9 14:47:19 2016
From: RLaghuvaram at contractor.lb.com (Laghuvaram, Raghu)
Date: Wed, 9 Nov 2016 19:47:19 +0000
Subject: [keycloak-user] Single Sign On without browser redirect.
Message-ID: <D448E775.29BC%rlaghuvaram@contractor.lb.com>

I have two applications App1 and App2(both are on different servers and both have different branding) and I want to achieve single sign on using key cloak. I have few concerns,

  1.  I want to make use of our own login/signin pages residing in App1 and App2 rather than redirecting to KeyCloak Login Page, and post the request to KeyCloak similar to org.keycloak.testsuite.util.OAuthClient#doGrantAccessTokenRequest. I am successful in getting AccessToken in App1, but how can I achieve SSO with App2 in this scenario?
  2.  If I can't have login pages to be on my apps, then can I have multiple login themes, in such a way that I can have different theme per app(per client). Right now I see that I can have only one theme per realm.
  3.  I have native mobile apps for these two apps, so I need to make sure my architecture supports login thru native apps as well.
  4.  Currently I am using Java Servlet Filter Adapter to make use of KeyCloak, I gave my secured pages url (/secured/*) for the filter KeycloakOIDCFilter and for non secured pages in my application ( where url is "/*") I have added another filter to refresh the token using "refreshableKeycloakSecurityContext.refreshExpiredToken(true);" This works perfect when I am using httpsession, but when I make stateless using the tokenstore to use cookie, then I can't get hold of   refreshableKeycloakSecurityContext with out replicating the httpsession across multiple instances of my web servers. If this is not the right way, then how can I maintain session with IDP from my non secured pages?

Thanks,
Raghu



________________________________

Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.

From colin.ritchie at tasktop.com  Wed Nov  9 14:58:35 2016
From: colin.ritchie at tasktop.com (Colin Ritchie)
Date: Wed, 9 Nov 2016 11:58:35 -0800
Subject: [keycloak-user] Issue Configuring HTTP Reverse Proxy to Keycloak
Message-ID: <CAOHOMB_vEveenOpA358qO93eamkHGW7p+=eoqnu_i3T9Uy4f1g@mail.gmail.com>

Hello,

I am having trouble getting keycloak to work behind a reverse proxy.

I have installed Keycloak on the same server as our existing web
application running in Tomcat, with keycloak listening on 8081 and Tomcat
listening on 8080.   I have configured an HTTP reverse proxy in Tomcat
using https://github.com/mitre/HTTP-Proxy-Servlet.  I am forwarding /auth
to the reverse proxy, which in turns connects to keycloak (
http://localhost:8081/auth).

When I visit "http://localhost:8080/auth", the first page in this scenario
works: the "Welcome to Keycloak" page appears.  But when I click on the
"Administration Console" link, the first redirect works, to
"/auth/admin/master/console".  But it then quickly redirects the browser
directly to the keycloak port:

http://localhost:*8081*/auth/realms/master/protocol/openid-
connect/auth?client_id=security-admin-console&redirect_uri=http%3A%2F%
2Flocalhost%3A8080%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F&
state=a36dd30e-6268-4545-9a4f-a397169917b6&nonce=79d7099d-
10df-471f-96e9-b13a8da17b55&response_mode=fragment&response_type=code&scope=
openid

The reverse proxy sets the X-Forwarded-For and X-Forwarded-Proto headers.
And I have configured keycloak according to https://keycloak.gitbooks.
io/server-installation-and-configuration/content/topics/
clustering/load-balancer.html, setting the proxy-address-forwarding
attribute.

I am also seeing, on the final redirected page, the error "Invalid
parameter: redirect_uri".

Any help would be very appreciated.

-- 
*Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*

From ivan at akvo.org  Thu Nov 10 03:46:08 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Thu, 10 Nov 2016 09:46:08 +0100
Subject: [keycloak-user] Expose JGroups ports in Docker
 keycloak-ha-postgres
In-Reply-To: <CAFvEW4ZOg=A1AaYWc+=LJ1hF_gLn2bmLMK1PoVH9CPtzP3pO3A@mail.gmail.com>
References: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>
	<CAD+Wi2SGxj8jUqyeBm_C2DkfzzeCw30UHndD6+0U659K7ft2dA@mail.gmail.com>
	<CAFvEW4ZOg=A1AaYWc+=LJ1hF_gLn2bmLMK1PoVH9CPtzP3pO3A@mail.gmail.com>
Message-ID: <172f3778-45d3-64ee-cf41-034d8a5c1676@akvo.org>

Hi,

I'm also interesting on running Keycloak HA with Kubernetes/Google Cloud
Platform.

> JGroups members use multicast communication over UDP to broadcast
> their presence to other instances on a network. Google Cloud
> Platform, like most cloud providers and enterprise networks, does not
> support multicast

https://cloudplatform.googleblog.com/2016/02/JGroups-based-clustering-and-node-discovery-with-Google-Cloud-Storage.html

Do we need to take the route and use GOOGLE_PING method for node discovery?

Any hints on this topic are quite valuable.

Thanks,

On 11/09/2016 02:54 PM, Staffan wrote:
> I have verified that `hostname -i` works with Minikube, but not yet a
> multi-node cluster.
> 
> Created PR https://github.com/jboss-dockerfiles/keycloak/pull/59 for the
> official HA docker image.
> 
> Is the following warning in keycloak logs something that affects clustering?
> 
> WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 49) WFLYTX0013: Node
> identifier property is set to the default value. Please make sure it is
> unique.
> 
> It can be remedied using
> https://github.com/Reposoft/keycloak-ha-kubernetes/commit/413665f0c0827f8fa35379cc1f78098124290cd8
> but I have avoided config file changes.
> 
> /Staffan
> 
> On Tue, Nov 8, 2016 at 3:06 PM, Alan Gibson <alan.gibson at gmail.com> wrote:
> 
>> Hi Staffan,
>>
>> We've got 3 clustered Keycloak nodes running in Docker with host (not
>> bridge) networking and managed by Mesos/Marathon. Cluster communications
>> run over UDP. We start them with the following command.
>>
>> /opt/jboss/docker-entrypoint.sh -Dkeycloak.migration.action={{keycloak_migration_action}}
>> -Dkeycloak.migration.provider={{keycloak_migration_provider}}
>> -Dkeycloak.migration.file={{keycloak_migration_file}}
>> -Dkeycloak.migration.strategy={{keycloak_migration_strategy}}
>> -Djboss.jgroups.stack={{keycloak_jgroups_stack}}
>> -Djboss.jgroups.udp.port={{keycloak_jgroups_udp_port}}
>> -Djboss.jgroups.udp.multicast.port={{keycloak_jgroups_udp_multicast_port}}
>> -Djboss.jgroups.udp.fd.port={{keycloak_jgroups_udp_fd_port}}
>> -Djboss.management.http.port=$PORT1 -Djboss.http.port=$PORT0
>> -Djboss.bind.address.private=$(hostname -i) -b 0.0.0.0 -bmanagement
>> 0.0.0.0 --server-config standalone-ha.xml
>>
>> keycloak_jgroups_stack: udp
>> keycloak_jgroups_udp_port: 5520
>> keycloak_jgroups_udp_multicast_port: 4568
>> keycloak_jgroups_udp_fd_port: 5420
>>
>> The magic ingredient is using getting the jboss.bind.address.private
>> address from the shell with $(hostname -i). Note that this is definitely
>> not foolproof, so YMMV.
>>
>> Br, Alan
>>
>> On Tue, Nov 8, 2016 at 11:59 AM, Staffan <solsson at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I've tried in different docker environments (compose, kubernetes,
>>> standalone) to get a HA setup running using https://hub.docker.com/r/
>>> jboss/keycloak-ha-postgres/
>>> <https://hub.docker.com/r/jboss/keycloak-ha-postgres/>.
>>>
>>> Keycloak nodes start, but are unaware of each other. I fail to reach the
>>> JGroups ports from any other container or host system. That is expected,
>>> as
>>> https://keycloak.gitbooks.io/server-installation-and-configu
>>> ration/content/v/2.3/topics/clustering/multicast.html
>>> advises you to configure jboss.bind.address.private.
>>>
>>> But when I try -Djboss.bind.address.private=0.0.0.0 there's an error
>>> during
>>> startup:
>>>
>>> MSC000001: Failed to start service jboss.jgroups.channel.ee:
>>> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
>>> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
>>> 0.0.0.0 is not a valid address on any local network interface
>>>     at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
>>> ChannelBuilder.java:80)
>>> Caused by: java.security.PrivilegedActionException:
>>> java.net.BindException:
>>> [UDP] /0.0.0.0 is not a valid address on any local network interface
>>>     at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
>>> WildFlySecurityManager.java:640)
>>> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
>>> on
>>> any local network interface
>>>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>>>
>>> ... or if I switch to stack="tcp" in the jgroups subsystem:
>>>
>>> MSC000001: Failed to start service jboss.jgroups.channel.ee:
>>> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
>>> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
>>> 0.0.0.0 is not a valid address on any local network interface
>>>
>>> I guess this is a generic Wildfly topic, but I'm curious how the official
>>> Keycloak docker containers are tested. In a docker environment, what can
>>> we
>>> bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
>>> "privileged action"?
>>>
>>> regards
>>> Staffan Olsson
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

-- 
Iv?n


From sthorger at redhat.com  Thu Nov 10 06:29:21 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 10 Nov 2016 12:29:21 +0100
Subject: [keycloak-user] How to Pass User Attributes on Bearer Only
	Application?
In-Reply-To: <CAAdSQ6gEnaAff2twjxLfKhs_z=UoZGcjgNw9Xbz_cCs0YNjeCg@mail.gmail.com>
References: <CAAdSQ6gEnaAff2twjxLfKhs_z=UoZGcjgNw9Xbz_cCs0YNjeCg@mail.gmail.com>
Message-ID: <CAJgngAcX37ZNKPzEmc7FgFWZtAzympUD5c+VA7jHHDtW8Gc8gg@mail.gmail.com>

Not sure what attributes you are trying to get. Are these custom attributes
you've added to the user yourself? If so you need to add a protocol mapper
for the angular2 public client so they are added to the token. They will
then be available in otherclaims in the service.

On 8 November 2016 at 20:10, Carlos Feria <carlosthe19916 at gmail.com> wrote:

> Hi all. I have an Angular2 application(frontend) and a Restful(jax-rs) for
> rest services. My Angular2 application has a *Public Client* Configuration
> and my Rest Services has a* Bearer Only* Client Configuration. I'm trying
> to get user attributes using this code:
>
>
> HttpServletRequest request = servletRequest.get(); org.keycloak.
> KeycloakPrincipal kcPrincipal = (org.keycloak.KeycloakPrincipal) request.
> getUserPrincipal();
> org.keycloak.representations.AccessToken accessToken = kcPrincipal.
> getKeycloakSecurityContext().getToken();
> Map<String, Object> otherClaims = accessToken.getOtherClaims();
>
>
>
> The problem is that accessToken.getOtherClaims() doesn't return any data.
> *I
> think that this happens because my rest application is BEARER ONLY*, but
> i'm not sure.
>
> Please help me, *I need to pass data using user attributes (Employe
> Department for example). How could I solve my problem?*
>
>
> *Thank you very much!!!*
>
> --
> Carlos E. Feria Vila
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Thu Nov 10 06:37:47 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 10 Nov 2016 12:37:47 +0100
Subject: [keycloak-user] Keycloak with EZproxy
In-Reply-To: <CAN_wU+aNyXittA=bie=+zJj-F4EHY43Y42XcoEd_GKBVBEJnHA@mail.gmail.com>
References: <DM5PR08MB2428E4C9797AB3D908A6C2A9B8E20@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAdhkxKf_wfCE2ToBBx9vXts9Vg_XzToX3SkwZTtohdDJw@mail.gmail.com>
	<DM5PR08MB2428FF5C2B55A7D83A4B431CB8C80@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAcjWJiyPSftd+npttdUiKNqxWsYpWh8_kypnAY7iNhwNQ@mail.gmail.com>
	<CAN_wU+Ysrf+2MxJCKxsxU1t1uS6Ex4rgsZeQ1=_KydwKCsCZow@mail.gmail.com>
	<CAJgngAe6ZcgeVksRJEFuooaPojV4P=dLedCfprK2y4tShP9pjw@mail.gmail.com>
	<CAN_wU+aNyXittA=bie=+zJj-F4EHY43Y42XcoEd_GKBVBEJnHA@mail.gmail.com>
Message-ID: <CAJgngAfNym_6ni0dETmkJPtfwCR7GRuh-1W6nZ-oRmnRBiKQVw@mail.gmail.com>

Looks like a bug on our end. If request includes NameIDPolicy, but format
is missing it'll throw a NPE:

https://github.com/keycloak/keycloak/blob/2.2.0.Final/services/src/main/java/org/keycloak/protocol/saml/SamlService.java#L262

Format is optional so we should handle this. You can create a JIRA for it
and we'll fix. In the mean time if you can get it to include a format or
don't include the NameIDPolicy it may work.

On 8 November 2016 at 14:38, Ricardo Chu <pygator at linux.com> wrote:

> Stian,
> We set the "Client Signature Required" to off. See print screen here:
> https://drive.google.com/open?id=0B7GnoaXLMbnOS1l4dkNmQjFPSUk
>
> I restarted keycloak and attempted to login via ezproxy.  It looks like we
> get a little further down the login process but now get a NPE.
>
> You can see the log excerpt here: https://bitbucket.org/
> snippets/rachu/ddRze
>
> Rick
>
> On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> First guess is that EZProxy is not signing the login assertion and the
>> client is configured in KC admin console to require signatures. Try turning
>> "Client Signature Required" off for the client in the Keycloak admin
>> console.
>>
>> On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:
>>
>>> Here is the trace output of this problem:
>>> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>>>
>>> This log includes the startup of keycloak and the login attempt.  The
>>> login fails and the message "invalid requester" is displayed in the
>>> browser..
>>>
>>> The trace shows the "Invalid signature on document" message.
>>> Line 5211 says "Cannot find Signature element".
>>>
>>> Any idea what may cause this?
>>>
>>> Rick
>>>
>>> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
>>> wrote:
>>>
>>>> "XML External Entity switches are not supported.  You may get XML
>>>> injection
>>>> vulnerabilities." is just a warning and shouldn't have anything to do
>>>> with
>>>> the issue.
>>>>
>>>> Try enabling trace logging for org.keycloak and see if you get any more
>>>> details.
>>>>
>>>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>>
>>>> > Thanks.
>>>> >
>>>> >
>>>> >
>>>> > When we attempt to authenticate using keycloak 2.2.0_final, we get the
>>>> > following log entries on the Keycloak server:
>>>> >
>>>> >
>>>> >
>>>> > 2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default
>>>> task-1)
>>>> > XML External Entity switches are not supported.  You may get XML
>>>> injection
>>>> > vulnerabilities.
>>>> >
>>>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.Sa
>>>> mlService]
>>>> > (default task-1) request validation failed:
>>>> org.keycloak.common.VerificationException:
>>>> > Invalid signature on document
>>>> >
>>>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>>>> >
>>>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>>>> >
>>>> >                 at org.keycloak.protocol.saml.SamlService$
>>>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>>>> >
>>>> >                 at org.keycloak.protocol.saml.Sam
>>>> lService$BindingProtocol.
>>>> > handleSamlRequest(SamlService.java:186)
>>>> >
>>>> >                 at org.keycloak.protocol.saml.SamlService$
>>>> > PostBindingProtocol.execute(SamlService.java:428)
>>>> >
>>>> >                 at org.keycloak.protocol.saml.Sam
>>>> lService.postBinding(
>>>> > SamlService.java:504)
>>>> >
>>>> >                 at sun.reflect.NativeMethodAccess
>>>> orImpl.invoke0(Native
>>>> > Method)
>>>> >
>>>> >                 at sun.reflect.NativeMethodAccessorImpl.invoke(
>>>> > NativeMethodAccessorImpl.java:62)
>>>> >
>>>> >                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>>> > DelegatingMethodAccessorImpl.java:43)
>>>> >
>>>> >                 at java.lang.reflect.Method.invoke(Method.java:498)
>>>> >
>>>> >                 at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>>>> > MethodInjectorImpl.java:139)
>>>> >
>>>> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.
>>>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>>>> >
>>>> >                 at org.jboss.resteasy.core.Resour
>>>> ceMethodInvoker.invoke(
>>>> > ResourceMethodInvoker.java:249)
>>>> >
>>>> >                 at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>> >
>>>> >                 at org.jboss.resteasy.core.Resour
>>>> ceLocatorInvoker.invoke(
>>>> > ResourceLocatorInvoker.java:101)
>>>> >
>>>> >                 at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(
>>>> > SynchronousDispatcher.java:395)
>>>> >
>>>> >                 at org.jboss.resteasy.core.Synchr
>>>> onousDispatcher.invoke(
>>>> > SynchronousDispatcher.java:202)
>>>> >
>>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>>> > ServletContainerDispatcher.service(ServletContainerDispatche
>>>> r.java:221)
>>>> >
>>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>> >
>>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>> >
>>>> >                 at javax.servlet.http.HttpServlet.service(
>>>> > HttpServlet.java:790)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.
>>>> > ServletHandler.handleRequest(ServletHandler.java:85)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.
>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>> >
>>>> >                 at org.keycloak.services.filters.
>>>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>>>> > java:90)
>>>> >
>>>> >                 at io.undertow.servlet.core.ManagedFilter.doFilter(
>>>> > ManagedFilter.java:60)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.
>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.
>>>> > FilterHandler.handleRequest(FilterHandler.java:84)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.security.
>>>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>>>> > java:62)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.S
>>>> ervletDispatchingHandler.
>>>> > handleRequest(ServletDispatchingHandler.java:36)
>>>> >
>>>> >                 at org.wildfly.extension.undertow.security.
>>>> > SecurityContextAssociationHandler.handleRequest(
>>>> > SecurityContextAssociationHandler.java:78)
>>>> >
>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.security.
>>>> > SSLInformationAssociationHandler.handleRequest(
>>>> > SSLInformationAssociationHandler.java:131)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.security.
>>>> > ServletAuthenticationCallHandler.handleRequest(
>>>> > ServletAuthenticationCallHandler.java:57)
>>>> >
>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >                 at io.undertow.security.handlers.
>>>> > AbstractConfidentialityHandler.handleRequest(
>>>> > AbstractConfidentialityHandler.java:46)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.security.
>>>> > ServletConfidentialityConstraintHandler.handleRequest(
>>>> > ServletConfidentialityConstraintHandler.java:64)
>>>> >
>>>> >                 at io.undertow.security.handlers.
>>>> > AuthenticationMechanismsHandler.handleRequest(
>>>> > AuthenticationMechanismsHandler.java:60)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.security.
>>>> > CachedAuthenticatedSessionHandler.handleRequest(
>>>> > CachedAuthenticatedSessionHandler.java:77)
>>>> >
>>>> >                 at io.undertow.security.handlers.
>>>> > NotificationReceiverHandler.handleRequest(NotificationReceiv
>>>> erHandler.
>>>> > java:50)
>>>> >
>>>> >                 at io.undertow.security.handlers.
>>>> > AbstractSecurityContextAssociationHandler.handleRequest(
>>>> > AbstractSecurityContextAssociationHandler.java:43)
>>>> >
>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >                 at org.wildfly.extension.undertow.security.jacc.
>>>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>> >
>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>> > handleRequest(PredicateHandler.java:43)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.
>>>> > handleFirstRequest(ServletInitialHandler.java:284)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler.
>>>> > dispatchRequest(ServletInitialHandler.java:263)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.
>>>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>> >
>>>> >                 at io.undertow.servlet.handlers.S
>>>> ervletInitialHandler$1.
>>>> > handleRequest(ServletInitialHandler.java:174)
>>>> >
>>>> >                 at io.undertow.server.Connectors.
>>>> > executeRootHandler(Connectors.java:202)
>>>> >
>>>> >                 at io.undertow.server.HttpServerExchange$1.run(
>>>> > HttpServerExchange.java:793)
>>>> >
>>>> >                 at java.util.concurrent.ThreadPoolExecutor.runWorker(
>>>> > ThreadPoolExecutor.java:1142)
>>>> >
>>>> >                 at java.util.concurrent.ThreadPoo
>>>> lExecutor$Worker.run(
>>>> > ThreadPoolExecutor.java:617)
>>>> >
>>>> >                 at java.lang.Thread.run(Thread.java:745)
>>>> >
>>>> >
>>>> >
>>>> > 2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1)
>>>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>>>> > ipAddress=192.168.33.51, error=invalid_signature
>>>> >
>>>> >
>>>> >
>>>> > I have verified that the keys on the client match the server.  Does
>>>> the
>>>> > XML External Entities have something to do with this?
>>>> >
>>>> >
>>>> >
>>>> > Any help is appreciated.
>>>> >
>>>> >
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Bill
>>>> >
>>>> >
>>>> >
>>>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>>>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>>>> > *To:* Bill Kuntz
>>>> > *Cc:* keycloak-user at lists.jboss.org
>>>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>>>> >
>>>> >
>>>> >
>>>> > Not sure what they mean about "authentication sequence identical to a
>>>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>>>> configurable
>>>> > so it should be possible to adapt the SAML configuration for the
>>>> client to
>>>> > make it work with EZProxy.
>>>> >
>>>> >
>>>> >
>>>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>> >
>>>> > Has anyone successfully used Keycloak with OCLC's EZProxy?  We have
>>>> been
>>>> > experimenting with Keycloak, and have been able to get it working with
>>>> > other SPs, but not EZProxy.
>>>> >
>>>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>>>> > systems if and only if that system uses an authentication sequence
>>>> > identical to a standard Shibboleth Identity Provider (IDP)."
>>>> >
>>>> > Thanks,
>>>> > Bill
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> >
>>>> >
>>>> >
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From roger.turnau at pwc.com  Thu Nov 10 11:17:32 2016
From: roger.turnau at pwc.com (Roger Turnau (US - Advisory))
Date: Thu, 10 Nov 2016 11:17:32 -0500
Subject: [keycloak-user] Looking for User Experiences
Message-ID: <CAM96OPuTZqwGp-FaBgBWxQ3PgzxWrj1HCW862YPATjcO1ADNiQ@mail.gmail.com>

Hi all,

I am working with a client who is considering adopting Keycloak, and I
wanted to reach out to this group to see if anyone is using Keycloak in
production, and if I could ask you some questions privately on what your
experience has been with the product.

Please feel free to email me at roger.turnau at pwc.com.

Thank you in advance for your help.

Best,

-- 
*Roger Turnau*
PwC

______________________________________________________________________
The information transmitted, including any attachments, is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited, and all liability arising therefrom is disclaimed. If you received this in error, please contact the sender and delete the material from any computer. PricewaterhouseCoopers LLP is a Delaware limited liability partnership.  This communication may come from PricewaterhouseCoopers LLP or one of its subsidiaries.

From keycloak at danyx.com  Thu Nov 10 13:20:34 2016
From: keycloak at danyx.com (Daniel Bachler)
Date: Thu, 10 Nov 2016 19:20:34 +0100
Subject: [keycloak-user] Keycloak Securty Proxy redirects to http
Message-ID: <CAELHGBCKNSzoU+MDKsg-jwnqxn5ZWr4YODAKnm09oZF-AqCYsg@mail.gmail.com>

Hi,

I am having trouble with the Keycloak Securty Proxy. I want to secure a
jupyter notebook with it. When I go to the https enabled url where it is
available (behind the Keycloak Security Proxy), I get redirected to the
Keycloak login screen, but when I submit my details there it tries to
redirect me to the http version of the endpoint and dies.

Here are more details of my setup: The entire setup is hosted in a
Kubernetes cluster, with Traefik acting as a reverse proxy / ingress
controller. Traefik is configured to automatically generate SSL
certificates using Let's Encrypt for all publicly availble services and
handle the SSL termination. All traffic inside the cluster uses plain http.

Inside the cluster is one container that runs the Keycloak server, one that
runs the jupyter notebook and one for the Keycloak Security Proxy.

When I remove the constraints patterns in the config below and just let
traffic through, the https flow works and I can access the site through the
security proxy (but without seeing a login mask at any point of course). It
is only when I enable the authentication workflow that it fails by
redirecting to http.

I don't need authorization / user management for my jupyter notebook, I
just need to make sure that the user logged in successfully, so if there is
another way to configure this that would work in this case that would also
be fine.

Here is my Keycloak Security Proxy config. Please let me know if any other
information would be helpful to debug this situation. Thanks!

{
  "target-url": "http://jupyter-service:8888/",
  "send-access-token": true,
  "bind-address": "0.0.0.0",
  "http-port": "8080",
  "applications": [
    {
      "base-path": "/",
      "adapter-config": {
        "realm": "Testrealm",
        "auth-server-url": "https://OMITTED/auth",
        "ssl-required": "external",
        "resource": "jupyter",
        "public-client": true
      },
      "constraints": [
        {
          "pattern": "/*",
          "roles-allowed": [
            "jupyter-users"
          ]
        }
      ]
    }
  ]
}

Best,
Daniel

From abhi.raghav007 at gmail.com  Fri Nov 11 01:44:52 2016
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Fri, 11 Nov 2016 12:14:52 +0530
Subject: [keycloak-user] ERROR sending email with my companies SMTP server :
	Exception writing multipart
Message-ID: <CAJmz6ftdCc2CTGWLPERd3Dp9RzRLGNRrPEyLop7ob5j8E+8Dmg@mail.gmail.com>

Hi

I am facing a weird issue when i try sending emails from keycloak. I try
digging the issue and figured out that when keycloak tries to template the
email content in HTML formatat.
I dont want to use the plain text body content in the email to go, so i
removed the text folder itself from the email theme.

When i tried with google SMTP, everything works perfectly fine (even HTML
content processes and can be sent).

*It says exception writing multi part.*

Can somebody help me, where is the problem.? Is it my companies SMTP not
allowing it or should i prepare the content in a different manner. ?

Below is the stack trace.
[0m [31m06:29:44,321 ERROR [org.keycloak.services] (default task-110)
KC-SERVICES0029: Failed to send email: javax.mail.MessagingException:
IOException while sending message; nested exception is:
java.io.IOException: Exception writing Multipart at
com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1290) at
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:125)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:191)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:183)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java:156)
at
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExecuteActions(FreeMarkerEmailTemplateProvider.java:139)
at
org.keycloak.services.resources.admin.UsersResource.executeActionsEmail(UsersResource.java:855)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498) at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745) Caused by: java.io.IOException:
Exception writing Multipart at
com.sun.mail.handlers.multipart_mixed.writeTo(multipart_mixed.java:83) at
javax.activation.ObjectDataContentHandler.writeTo(DataHandler.java:897) at
javax.activation.DataHandler.writeTo(DataHandler.java:330) at
javax.mail.internet.MimeBodyPart.writeTo(MimeBodyPart.java:1645) at
javax.mail.internet.MimeMessage.writeTo(MimeMessage.java:1850) at
com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java:1241) ... 57
more Caused by: javax.mail.MessagingException: Empty multipart:
multipart/alternative; boundary="----=_Part_0_766978197.1478845783718" at
javax.mail.internet.MimeMultipart.writeTo(MimeMultipart.java:548) at
com.sun.mail.handlers.multipart_mixed.writeTo(multipart_mixed.java:81) ...
62 more


Cheers
Abhishek

From stuarta at squashedfrog.net  Fri Nov 11 05:05:18 2016
From: stuarta at squashedfrog.net (Stuart Auchterlonie)
Date: Fri, 11 Nov 2016 10:05:18 +0000
Subject: [keycloak-user] ERROR sending email with my companies SMTP
 server : Exception writing multipart
In-Reply-To: <CAJmz6ftdCc2CTGWLPERd3Dp9RzRLGNRrPEyLop7ob5j8E+8Dmg@mail.gmail.com>
References: <CAJmz6ftdCc2CTGWLPERd3Dp9RzRLGNRrPEyLop7ob5j8E+8Dmg@mail.gmail.com>
Message-ID: <0db12d12-b253-0c03-4c13-9f33584fccf2@squashedfrog.net>

On 11/11/16 06:44, abhishek raghav wrote:
> Hi
> 
> I am facing a weird issue when i try sending emails from keycloak. I try
> digging the issue and figured out that when keycloak tries to template the
> email content in HTML formatat.
> I dont want to use the plain text body content in the email to go, so i
> removed the text folder itself from the email theme.
> 
> When i tried with google SMTP, everything works perfectly fine (even HTML
> content processes and can be sent).
> 
> *It says exception writing multi part.*
> 
> Can somebody help me, where is the problem.? Is it my companies SMTP not
> allowing it or should i prepare the content in a different manner. ?
> 

Do you have the error from the mail servers logs?

That can often be more informative than the error it presents back
via the SMTP conversation.


Regards
Stuart




From rickard.ostergard at gmail.com  Fri Nov 11 05:41:57 2016
From: rickard.ostergard at gmail.com (=?UTF-8?Q?Rickard_=C3=96sterg=C3=A5rd?=)
Date: Fri, 11 Nov 2016 10:41:57 +0000
Subject: [keycloak-user] Account mangment: Server-side validation of custom
 user attributes profile update
Message-ID: <CALxZ3LEFnFYgP2TBhM_Dx3bdvP4zTg--1c0wmMKxbCsAjy3Tog@mail.gmail.com>

Hi,

Is there a way to do server-side validation for custom user attributes when
the user updates the profile via the Account management page (
/realms/<REALM>/account/ )?

I have implemented a theme template as describe here:
https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/custom-attributes.html#_account_management_console
.
Its possible to edit the custom user attributes, however is there a way to
validate these attributes server-side?

I have read this previous question,
http://lists.jboss.org/pipermail/keycloak-user/2016-April/005625.html, but
as far as I understand this only describe how to implement validation when
the user register. I need to implement the same validation for user profile
updates.

Best regards,
Rickard

From sthorger at redhat.com  Fri Nov 11 05:57:01 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 11 Nov 2016 11:57:01 +0100
Subject: [keycloak-user] Account mangment: Server-side validation of
 custom user attributes profile update
In-Reply-To: <CALxZ3LEFnFYgP2TBhM_Dx3bdvP4zTg--1c0wmMKxbCsAjy3Tog@mail.gmail.com>
References: <CALxZ3LEFnFYgP2TBhM_Dx3bdvP4zTg--1c0wmMKxbCsAjy3Tog@mail.gmail.com>
Message-ID: <CAJgngAd6P6KogwbQWkRhMhAftMA73z-OY+NPPR2SnbXh3SVT+A@mail.gmail.com>

Not at the moment. We're introducing a Profile SPI in 3.x that will provide
this capability.

On 11 November 2016 at 11:41, Rickard ?sterg?rd <rickard.ostergard at gmail.com
> wrote:

> Hi,
>
> Is there a way to do server-side validation for custom user attributes when
> the user updates the profile via the Account management page (
> /realms/<REALM>/account/ )?
>
> I have implemented a theme template as describe here:
> https://keycloak.gitbooks.io/server-developer-guide/
> content/v/2.3/topics/custom-attributes.html#_account_management_console
> .
> Its possible to edit the custom user attributes, however is there a way to
> validate these attributes server-side?
>
> I have read this previous question,
> http://lists.jboss.org/pipermail/keycloak-user/2016-April/005625.html, but
> as far as I understand this only describe how to implement validation when
> the user register. I need to implement the same validation for user profile
> updates.
>
> Best regards,
> Rickard
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From michael_furman at hotmail.com  Fri Nov 11 06:31:15 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Fri, 11 Nov 2016 11:31:15 +0000
Subject: [keycloak-user] Clarifications regarding advanced
 authentications (LDAP, Kerberos, SAML)
In-Reply-To: <CAJgngAdmCuGWbBvoTKq=5AwttijMuX2E+UMSBXk9jLuLDeGEEg@mail.gmail.com>
References: <AM5PR0701MB253062EFF73AB96F2AE65310F4A30@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<CAJgngAdmCuGWbBvoTKq=5AwttijMuX2E+UMSBXk9jLuLDeGEEg@mail.gmail.com>
Message-ID: <AM5PR0701MB2530BFBCE6835A94548345BBF4BB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi Stian,
I will happy for additional clarifications:

  1.  Is it possible to perform only authentication against LDAP?
Just provide user name and password and keycloak authenticates it against LDAP.
  2.  Where the LDAP user password is stored? In keycloak DB? In LDAP?
  3.  Is it possible to use LDap User federation with other types of the authentications?
For example with additional user provider?



________________________________
From: Stian Thorgersen <sthorger at redhat.com>
Sent: Friday, November 4, 2016 7:39 AM
To: Michael Furman
Cc: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Clarifications regarding advanced authentications (LDAP, Kerberos, SAML)



On 3 November 2016 at 06:08, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I will happy for clarifications regarding advanced authentications (LDAP, Kerberos, SAML).

  1.  Why Kerberos is "User Federation" but SAML is "Identity Provider"?
Both are SSO protocols (I do understand difference between protocols but it is seamless from the user point of view).

Identity Brokering are for Web SSO IdPs. It works by redirecting the user.

User federation works by reading users from external sources.

Kerberos when used with LDAP is just an authenticator, but there's also a federation provider so it can be used without LDAP in which case only the username is available and the rest has to be filled in manually by the user.


What is the difference between User Federation and Identity Provider in Keycloak?
Will Keycloak import all users from the defined in "User Federation" into internal database?

  2.  How I incorporate "User Federation" or "Identity Provider" into the authentication flow?
I see that I can add "Identity Provider Redirector" but how I add "User Federation"?

Identity provider is a redirect and user has to click a button or you setup the default one.

User federation works by looping through providers until a match for the username is found.

  3.  Regarding LDAP:  I have added LDAP User Federation.
The "Test connection" and the "Test authentication" pass successfully but I can not authenticate LDAP users in UI.
What I have missed?
Should I add LDAP to the authentication flow?

You may not have configured it properly and it can't find the user within LDAP. Test connection / authentication just checks that Keycloak can connect to LDAP, not that it can find a specific user.




Thank you in advance for your help.

Michael
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From carlosthe19916 at gmail.com  Fri Nov 11 08:12:15 2016
From: carlosthe19916 at gmail.com (Carlos Feria)
Date: Fri, 11 Nov 2016 08:12:15 -0500
Subject: [keycloak-user] How to configure KeycloakAuthorization on Angular2
	Application
Message-ID: <CAAdSQ6gAif7toJtDqFzeQ8HTt9DHtkuVXuBb+jXV6C9JR+x3aw@mail.gmail.com>

Hi all, good morning. I am coding an Angular2 application and I need to
implement Authorization like this example on Keycloak
https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz,
there are another example that indicates how to use Keycloak on Angular2
applications (
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app
)

My real problem is how to write responseError on Angular2? Have you ever
had this kind of problem?

This is the code(red code) that i want to pass to Angular2....please help
me.

module.factory('authInterceptor', function ($q, $injector, $timeout,
Identity) { return {
request: function (request) {
document.getElementById("output").innerHTML = '';
if (Identity.authorization && Identity.authorization.rpt && request.url.
indexOf('/authorize') == -1) {
retries = 0;
request.headers.Authorization = 'Bearer ' + Identity.authorization.rpt;
} else {
request.headers.Authorization = 'Bearer ' + Identity.authc.token;
}
return request;
},
responseError: function (rejection) {
var status = rejection.status;
if (status == 403 || status == 401) {
var retry = (!rejection.config.retry || rejection.config.retry < 1);
if (!retry) {
document.getElementById("output").innerHTML = 'You can not access or
perform the requested operation on this resource.';
return $q.reject(rejection);
}
if (rejection.config.url.indexOf('/authorize') == -1 && retry) {
var deferred = $q.defer();
// here is the authorization logic, which tries to obtain an authorization
token from the server in case the resource server
// returns a 403 or 401.
*Identity.authorization.authorize(rejection.headers('WWW-Authenticate')).then(function
(rpt) {*
* deferred.resolve(rejection);*
* }, function () {*
* document.getElementById("output").innerHTML = 'You can not access or
perform the requested operation on this resource.';*
* }, function () {*
* document.getElementById("output").innerHTML = 'Unexpected error from
server.';*
* });*
var promise = deferred.promise;
return promise.then(function (res) {
if (!res.config.retry) {
res.config.retry = 1;
} else {
res.config.retry++;
}
var $http = $injector.get("$http");
return $http(res.config).then(function (response) {
return response;
});
});
}
}
return $q.reject(rejection);
}
};
-- 
Carlos E. Feria Vila

From ssilvert at redhat.com  Fri Nov 11 08:51:09 2016
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 11 Nov 2016 08:51:09 -0500
Subject: [keycloak-user] How to configure KeycloakAuthorization on
 Angular2 Application
In-Reply-To: <CAAdSQ6gAif7toJtDqFzeQ8HTt9DHtkuVXuBb+jXV6C9JR+x3aw@mail.gmail.com>
References: <CAAdSQ6gAif7toJtDqFzeQ8HTt9DHtkuVXuBb+jXV6C9JR+x3aw@mail.gmail.com>
Message-ID: <5825CCCD.90300@redhat.com>

I'm not sure I understand exactly what you are trying to do, and I don't 
think I have time to figure it out right now.  The angular2-product-app 
does show error handling.  Maybe you can explain a little more?  Also, 
your code shows up unformatted and I don't see anything in red.  Perhaps 
you can put it on GitHub where it will be easier to view and discuss.

In a couple of weeks I'm probably going to start building an 
angular2/TypeScript adapter for Keycloak.  This will likely just be a 
wrapper around the current javascript client, but it will make 
everything easier to consume with TypeScript.  I want to keep your 
requirements in mind for this.  Please keep me updated on your progress 
and I'll try to help as much as I can in the meantime.

Stan

On 11/11/2016 8:12 AM, Carlos Feria wrote:
> Hi all, good morning. I am coding an Angular2 application and I need to
> implement Authorization like this example on Keycloak
> https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz,
> there are another example that indicates how to use Keycloak on Angular2
> applications (
> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/angular2-product-app
> )
>
> My real problem is how to write responseError on Angular2? Have you ever
> had this kind of problem?
>
> This is the code(red code) that i want to pass to Angular2....please help
> me.
>
> module.factory('authInterceptor', function ($q, $injector, $timeout,
> Identity) { return {
> request: function (request) {
> document.getElementById("output").innerHTML = '';
> if (Identity.authorization && Identity.authorization.rpt && request.url.
> indexOf('/authorize') == -1) {
> retries = 0;
> request.headers.Authorization = 'Bearer ' + Identity.authorization.rpt;
> } else {
> request.headers.Authorization = 'Bearer ' + Identity.authc.token;
> }
> return request;
> },
> responseError: function (rejection) {
> var status = rejection.status;
> if (status == 403 || status == 401) {
> var retry = (!rejection.config.retry || rejection.config.retry < 1);
> if (!retry) {
> document.getElementById("output").innerHTML = 'You can not access or
> perform the requested operation on this resource.';
> return $q.reject(rejection);
> }
> if (rejection.config.url.indexOf('/authorize') == -1 && retry) {
> var deferred = $q.defer();
> // here is the authorization logic, which tries to obtain an authorization
> token from the server in case the resource server
> // returns a 403 or 401.
> *Identity.authorization.authorize(rejection.headers('WWW-Authenticate')).then(function
> (rpt) {*
> * deferred.resolve(rejection);*
> * }, function () {*
> * document.getElementById("output").innerHTML = 'You can not access or
> perform the requested operation on this resource.';*
> * }, function () {*
> * document.getElementById("output").innerHTML = 'Unexpected error from
> server.';*
> * });*
> var promise = deferred.promise;
> return promise.then(function (res) {
> if (!res.config.retry) {
> res.config.retry = 1;
> } else {
> res.config.retry++;
> }
> var $http = $injector.get("$http");
> return $http(res.config).then(function (response) {
> return response;
> });
> });
> }
> }
> return $q.reject(rejection);
> }
> };


From michael_furman at hotmail.com  Fri Nov 11 09:53:11 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Fri, 11 Nov 2016 14:53:11 +0000
Subject: [keycloak-user] How to configure keycloak to send the user groups
	in claims?
Message-ID: <AM5PR0701MB2530D210A178B5278010879DF4BB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Short question: How to configure keycloak to send the user groups in claims?


From rsoares at redhat.com  Fri Nov 11 11:30:28 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Fri, 11 Nov 2016 13:30:28 -0300
Subject: [keycloak-user] How to configure keycloak to send the user
 groups in claims?
In-Reply-To: <AM5PR0701MB2530D210A178B5278010879DF4BB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530D210A178B5278010879DF4BB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <28e98e16-ed9a-8a53-83b2-166711c86761@redhat.com>

I believe you can use Client Protocol Mappers [1] to achieve this.

[1] 
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/protocol-mappers.html

___
Rafael T. C. Soares

On 11/11/2016 11:53 AM, Michael Furman wrote:
> Short question: How to configure keycloak to send the user groups in claims?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From nbquinns at gmail.com  Fri Nov 11 21:21:07 2016
From: nbquinns at gmail.com (Nico Burbigh)
Date: Sat, 12 Nov 2016 12:21:07 +1000
Subject: [keycloak-user] Step-Up Authentication
Message-ID: <CABtvq+j3LPsm9bHx5pEhTfvq6Wzdy2pmPbnWjmhxy+G5gNum_A@mail.gmail.com>

Hi Keycloak users, we have a requirment to provide step-up authentication.
Looking at Keycloak server and its adapters, it appears there is no support
for it out of the box.

Also user group email
http://lists.jboss.org/pipermail/keycloak-user/2016-April/005707.html
suggests it will come at some stage later.

Has anyone used keycloak to provide step up authentication?

From jcain at redhat.com  Fri Nov 11 23:13:22 2016
From: jcain at redhat.com (Josh Cain)
Date: Fri, 11 Nov 2016 22:13:22 -0600
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
Message-ID: <1478924002.7776.4.camel@redhat.com>

Hi all,

I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
against the Keycloak broker service. ?However, it's failing every time
on the IdentityBrokerService.authenticated(..) method. ?I get the
following error on the console:

22:05:04,945 ERROR [org.keycloak.services] (default task-61)
staleCodeMessage

This method seems to think that clients should *always* visit the
Keycloak IDP before returning with a SAML assertion, a the failure to
retrieve an associated client session is causing a serious issue. ?I am
able to successfully use the identity brokering functions if I use an
SP-initiated flow, so I know the brokering piece is configured
correctly. ?

Is this a limitation in the current implementation, or do I have
something configured incorrectly?

-- 
Josh Cain | Software Applications Engineer
Identity and Access
Management
Red Hat
+1 256-452-0150

From abhi.raghav007 at gmail.com  Sat Nov 12 03:00:25 2016
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Sat, 12 Nov 2016 13:30:25 +0530
Subject: [keycloak-user] ERROR sending email with my companies SMTP
 server : Exception writing multipart
In-Reply-To: <0db12d12-b253-0c03-4c13-9f33584fccf2@squashedfrog.net>
References: <CAJmz6ftdCc2CTGWLPERd3Dp9RzRLGNRrPEyLop7ob5j8E+8Dmg@mail.gmail.com>
	<0db12d12-b253-0c03-4c13-9f33584fccf2@squashedfrog.net>
Message-ID: <CAJmz6fs3ZuXX1s=mWuKksmRxiu9=RawZk-iaqoAi7sYPEeN-6Q@mail.gmail.com>

Hey Stuart,

Thanks for the response, but I don't have access to the mail server logs.
I only have the logs for my web server.

Cheers
Abhishek







On Fri, Nov 11, 2016 at 3:35 PM, Stuart Auchterlonie <
stuarta at squashedfrog.net> wrote:

> On 11/11/16 06:44, abhishek raghav wrote:
> > Hi
> >
> > I am facing a weird issue when i try sending emails from keycloak. I try
> > digging the issue and figured out that when keycloak tries to template
> the
> > email content in HTML formatat.
> > I dont want to use the plain text body content in the email to go, so i
> > removed the text folder itself from the email theme.
> >
> > When i tried with google SMTP, everything works perfectly fine (even HTML
> > content processes and can be sent).
> >
> > *It says exception writing multi part.*
> >
> > Can somebody help me, where is the problem.? Is it my companies SMTP not
> > allowing it or should i prepare the content in a different manner. ?
> >
>
> Do you have the error from the mail servers logs?
>
> That can often be more informative than the error it presents back
> via the SMTP conversation.
>
>
> Regards
> Stuart
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From michael_furman at hotmail.com  Sun Nov 13 03:43:03 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Sun, 13 Nov 2016 08:43:03 +0000
Subject: [keycloak-user] How to configure keycloak to send the user
 groups in claims?
In-Reply-To: <28e98e16-ed9a-8a53-83b2-166711c86761@redhat.com>
References: <AM5PR0701MB2530D210A178B5278010879DF4BB0@AM5PR0701MB2530.eurprd07.prod.outlook.com>,
	<28e98e16-ed9a-8a53-83b2-166711c86761@redhat.com>
Message-ID: <AM5PR0701MB253069F6DD9B22CD98F1F7DAF4BD0@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Thanks for the fast reply!

It works!


________________________________
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> on behalf of Rafael T. C. Soares <rsoares at redhat.com>
Sent: Friday, November 11, 2016 6:30 PM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] How to configure keycloak to send the user groups in claims?

I believe you can use Client Protocol Mappers [1] to achieve this.

[1]
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/protocol-mappers.html
Token and Assertion Mappings | Server Administration Guide<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/clients/protocol-mappers.html>
keycloak.gitbooks.io
Each client has several built-in mappers that are created for it by default. They map things like, for example, email address to a specific claim in the identity and ...



___
Rafael T. C. Soares

On 11/11/2016 11:53 AM, Michael Furman wrote:
> Short question: How to configure keycloak to send the user groups in claims?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
keycloak-user Info Page - JBoss Developer<https://lists.jboss.org/mailman/listinfo/keycloak-user>
lists.jboss.org
To see the collection of prior postings to the list, visit the keycloak-user Archives. Using keycloak-user: To post a message to all the list members ...



From michael_furman at hotmail.com  Sun Nov 13 08:14:38 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Sun, 13 Nov 2016 13:14:38 +0000
Subject: [keycloak-user] How to generate Realm Keys via rest API?
Message-ID: <AM5PR0701MB2530D8AA943B8C462D877FB8F4BD0@AM5PR0701MB2530.eurprd07.prod.outlook.com>

I was able to generate the new keypair via UI:
https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/realms/keys.html
Now I want to do it via Rest API but can find only GET method:
http://www.keycloak.org/docs/rest-api/#_get_admin_realms_realm_keys
How to generate Realm Keys via rest API?


From bburke at redhat.com  Sun Nov 13 09:06:06 2016
From: bburke at redhat.com (Bill Burke)
Date: Sun, 13 Nov 2016 09:06:06 -0500
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <1478924002.7776.4.camel@redhat.com>
References: <1478924002.7776.4.camel@redhat.com>
Message-ID: <5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>

So, you:

1. visit the IDP-initiated SSO URL on keycloak

2. Select an external IDP to login from on the Keycloak login page

3. Login to the external IDP

4. Failure?

Sounds like a bug.

If you're trying to do IDP-initiated SSO starting from the external IDP, 
that's not something we support.


On 11/11/16 11:13 PM, Josh Cain wrote:
> Hi all,
>
> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
> against the Keycloak broker service.  However, it's failing every time
> on the IdentityBrokerService.authenticated(..) method.  I get the
> following error on the console:
>
> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> staleCodeMessage
>
> This method seems to think that clients should *always* visit the
> Keycloak IDP before returning with a SAML assertion, a the failure to
> retrieve an associated client session is causing a serious issue.  I am
> able to successfully use the identity brokering functions if I use an
> SP-initiated flow, so I know the brokering piece is configured
> correctly.
>
> Is this a limitation in the current implementation, or do I have
> something configured incorrectly?
>


From Chris.Brandhorst at topicus.nl  Sun Nov 13 09:16:58 2016
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Sun, 13 Nov 2016 14:16:58 +0000
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
Message-ID: <A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>

Isn?t this like my question:
http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html

and bug report:
https://issues.jboss.org/browse/KEYCLOAK-3731

If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.
It seems that that?s exactly what we are attempting. Why shouldn?t that be
supported and what does that mean for my bug report (which was already
worked on)?

On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:

So, you:

1. visit the IDP-initiated SSO URL on keycloak

2. Select an external IDP to login from on the Keycloak login page

3. Login to the external IDP

4. Failure?

Sounds like a bug.

If you're trying to do IDP-initiated SSO starting from the external IDP,
that's not something we support.


On 11/11/16 11:13 PM, Josh Cain wrote:
Hi all,

I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
against the Keycloak broker service.  However, it's failing every time
on the IdentityBrokerService.authenticated(..) method.  I get the
following error on the console:

22:05:04,945 ERROR [org.keycloak.services] (default task-61)
staleCodeMessage

This method seems to think that clients should *always* visit the
Keycloak IDP before returning with a SAML assertion, a the failure to
retrieve an associated client session is causing a serious issue.  I am
able to successfully use the identity brokering functions if I use an
SP-initiated flow, so I know the brokering piece is configured
correctly.

Is this a limitation in the current implementation, or do I have
something configured incorrectly?


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From bburke at redhat.com  Sun Nov 13 09:49:58 2016
From: bburke at redhat.com (Bill Burke)
Date: Sun, 13 Nov 2016 09:49:58 -0500
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
	<A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
Message-ID: <59b13778-0a5f-5058-8518-33397df413b3@redhat.com>

So, you have Application FOOBAR which is secured by IDP 'B'.  You want 
to register an IDP initiated SSO link on IDP 'A' that redirects to IDP 
'B' that redirects to Application FOOBAR?  That's not something we 
support at the moment.



On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> Isn?t this like my question:
> http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
>
> and bug report:
> https://issues.jboss.org/browse/KEYCLOAK-3731
>
> If you're trying to do IDP-initiated SSO starting from the external IDP,
> that's not something we support.
> It seems that that?s exactly what we are attempting. Why shouldn?t that be
> supported and what does that mean for my bug report (which was already
> worked on)?
>
> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
>
> So, you:
>
> 1. visit the IDP-initiated SSO URL on keycloak
>
> 2. Select an external IDP to login from on the Keycloak login page
>
> 3. Login to the external IDP
>
> 4. Failure?
>
> Sounds like a bug.
>
> If you're trying to do IDP-initiated SSO starting from the external IDP,
> that's not something we support.
>
>
> On 11/11/16 11:13 PM, Josh Cain wrote:
> Hi all,
>
> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
> against the Keycloak broker service.  However, it's failing every time
> on the IdentityBrokerService.authenticated(..) method.  I get the
> following error on the console:
>
> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> staleCodeMessage
>
> This method seems to think that clients should *always* visit the
> Keycloak IDP before returning with a SAML assertion, a the failure to
> retrieve an associated client session is causing a serious issue.  I am
> able to successfully use the identity brokering functions if I use an
> SP-initiated flow, so I know the brokering piece is configured
> correctly.
>
> Is this a limitation in the current implementation, or do I have
> something configured incorrectly?
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From nielsbne at gmail.com  Sun Nov 13 18:28:58 2016
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 14 Nov 2016 09:28:58 +1000
Subject: [keycloak-user] KeycloakJS and Angular ui-router
Message-ID: <CAPLPygmKRx7mbJc-mkKabKEeHiiEW5CPzadkvMJ0-RtbjGhYDg@mail.gmail.com>

Hi there,

has anyone ever attempted to marry the Keycloak JavaScript adapter with
Angular ui-router? The basic AngularJS example from the Keycloak github
page does not really integrate with Angular components such as ui-router
and the bootstrapping of the auth system outside of Angular kills
test-ability of our site. A set of ng services that plays nice with other
ng components would make much life much easier.

Curious to find anyone who managed to get Keycloak working in an angular
way.

Kind Regards,
Niels

From jitendrachouhan03 at gmail.com  Mon Nov 14 00:56:29 2016
From: jitendrachouhan03 at gmail.com (Jitendra Chouhan)
Date: Mon, 14 Nov 2016 11:26:29 +0530
Subject: [keycloak-user] Backward compatibility of keycloak adapters
Message-ID: <CADFocSmeXUCWC==1=0VVQORMhKQ3ZnhFKyffi5jJJbr_MyjsUw@mail.gmail.com>

Hi,

We have sample apps those are integrated with Keycloak-2.2.1, now we are
migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
points regarding backward compatibility of keycloak adapters.

We have Angular JS app and back-end app which uses keycloak JS and
keycloak-spring-security adapter respectively. These apps are working fine
with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
listed actions has been performed.

1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
keycloak.
3. We kept same keycloak.json file since we imported working configuration
from 2.2.1 into 2.3.0.(verified all configurations are same)

Upon verification found applications are working fine with 2.3.0 till key
is not rotated. After key rotation applications are not working. But if
download applications keycloak.json from 2.3.0 instance for apps,
everything works fine.

Does this means adapter is not backward compatible? As we know key rotation
feature has been introduced in 2.3.0, in reference documentation stated
likely adapter will query/refer public key and certificate from keycloak
server instance.

Our point, since we imported configuration from previous keycloak
version(key is same), If applications are upgraded their adapters to 2.3.0
and even kept old keycloak.json files in respective apps it should work(as
per expectation adapter should refer keys/certs from keycloak server).

Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
public-key defined in application keycloak.json file and always refer from
keycloak server. In this way application migration will be easier from one
to another version of keycloak?

Please do let me know if further information is needed.

Thanks,
Jitendra Chouhan

From martin.johansson at metrical.se  Mon Nov 14 02:04:37 2016
From: martin.johansson at metrical.se (Martin Johansson)
Date: Mon, 14 Nov 2016 07:04:37 +0000
Subject: [keycloak-user] Can't get redirect to work when using
 send-verify-email on a newly created user
Message-ID: <CADn3RNVxv1xxUDDRpEv4SbjePUuPjA_bYXgmRL-d=YKdNu-ZiQ@mail.gmail.com>

Hi,

I can't seem to get the redirect to work when I crate a user and send an
e-mail verification mail to said user. The mail arrives, the link can be
clicked and the e-mail is verified. However, the *redirect_uri* that I send
as a query parameter along with a valid *client_id *is not used to redirect
the user after the verification of the e-mail is completed. The user stays
at the verification page. Most likely I'm doing something wrong but I can't
wrap my head around what it is.

Thanks in advance for any help.

BR,
Martin

From amaeztu at tesicnor.com  Mon Nov 14 02:32:17 2016
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Mon, 14 Nov 2016 08:32:17 +0100
Subject: [keycloak-user] How to configure an enterprise TLS secured mail
	server
Message-ID: <64ddc20e-d642-bf19-a51e-97c36784450c@tesicnor.com>

Hello everybody,

I'm trying to configure keycloak to send its e-mails using our company's 
e-mail server. I have no problem doing it using a simple configuration 
(just username and password, no encryption). However, our mail server 
accepts TLS and we do use a custom certificate for it, but I don't know 
how to make the keycloak server trust it (I know I have to add it to the 
JVM trusted certificates, but how to do it in wildfly?). Every tuto I 
read is for configuring wildfly itself to use the certificate and enable 
SSL, but in this case wildfly would be the client. That's the error I 
get while trying to send the e-mail (SSL handshake):

18:02:59,903 ERROR [org.keycloak.services] (default task-4) 
KC-SERVICES0088: Fai
led to send execute actions email: org.keycloak.email.EmailException: 
Failed to
template email
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:179)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:150)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExe
cuteActions(FreeMarkerEmailTemplateProvider.java:133)
         at 
org.keycloak.services.resources.admin.UsersResource.executeActionsEma
il(UsersResource.java:855)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
java:62)
         at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
sorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:498)
         at 
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
java:139)
         at 
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
MethodInvoker.java:295)
         at 
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
voker.java:249)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:138)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:107)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
esourceLocatorInvoker.java:133)
         at 
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
Invoker.java:101)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:395)
         at 
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
tcher.java:202)
         at 
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
service(ServletContainerDispatcher.java:221)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:56)
         at 
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
ce(HttpServletDispatcher.java:51)
         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
         at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand
ler.java:85)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:129)
         at 
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K
eycloakSessionServletFilter.java:90)
         at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60
)
         at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
ilterHandler.java:131)
         at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle
r.java:84)
         at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand
leRequest(ServletSecurityRoleHandler.java:62)
         at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
ServletDispatchingHandler.java:36)
         at 
org.wildfly.extension.undertow.security.SecurityContextAssociationHan
dler.handleRequest(SecurityContextAssociationHandler.java:78)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandle
r.handleRequest(SSLInformationAssociationHandler.java:131)
         at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle
r.handleRequest(ServletAuthenticationCallHandler.java:57)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe
quest(AbstractConfidentialityHandler.java:46)
         at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstrain
tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
         at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR
equest(AuthenticationMechanismsHandler.java:60)
         at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl
er.handleRequest(CachedAuthenticatedSessionHandler.java:77)
         at 
io.undertow.security.handlers.NotificationReceiverHandler.handleReque
st(NotificationReceiverHandler.java:50)
         at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandl
er.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han
dleRequest(JACCContextIdHandler.java:61)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
andler.java:43)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest
(ServletInitialHandler.java:284)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se
rvletInitialHandler.java:263)
         at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet
InitialHandler.java:81)
         at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se
rvletInitialHandler.java:174)
         at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
         at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7
93)
         at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
java:1142)
         at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
.java:617)
         at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.email.EmailException: 
javax.mail.MessagingException: Cou
ld not convert socket to TLS;
   nested exception is:
         javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorExc
eption: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
         at 
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:127)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:185)
         at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
eeMarkerEmailTemplateProvider.java:177)
         ... 54 more
Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
   nested exception is:
         javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorExc
eption: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBui
lderException: unable to find valid certification path to requested target
         at 
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2046)
         at 
com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:71
1)
         at javax.mail.Service.connect(Service.java:366)
         at javax.mail.Service.connect(Service.java:246)
         at javax.mail.Service.connect(Service.java:267)
         at 
org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
Provider.java:120)
         ... 56 more
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.Validator
Exception: PKIX path building failed: 
sun.security.provider.certpath.SunCertPath
BuilderException: unable to find valid certification path to requested 
target
         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
         at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1509)
         at 
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
         at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
         at 
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
         at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1375)
         at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403
)
         at 
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387
)
         at 
com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java
:598)
         at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:525)
         at 
com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2041)
         ... 61 more
Caused by: sun.security.validator.ValidatorException: PKIX path building 
failed:
  sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find vali
d certification path to requested target
         at 
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
         at 
sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
         at sun.security.validator.Validator.validate(Validator.java:260)
         at 
sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
         at 
sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
         at 
sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
         at 
sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1491)
         ... 71 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to
  find valid certification path to requested target
         at 
sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
ilder.java:141)
         at 
sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:126)
         at 
java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
         at 
sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
         ... 77 more


Any idea about this? Thanks!


-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.


From sthorger at redhat.com  Mon Nov 14 02:52:47 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 14 Nov 2016 08:52:47 +0100
Subject: [keycloak-user] Backward compatibility of keycloak adapters
In-Reply-To: <CADFocSmeXUCWC==1=0VVQORMhKQ3ZnhFKyffi5jJJbr_MyjsUw@mail.gmail.com>
References: <CADFocSmeXUCWC==1=0VVQORMhKQ3ZnhFKyffi5jJJbr_MyjsUw@mail.gmail.com>
Message-ID: <CAJgngAcP+5mwuoe6iBHWA5uAmzVF51zeJLTEGS4BxW3vXnnEDQ@mail.gmail.com>

Support for multiple keys and seamless retrieving new keys where added to
adapters in 2.3 so you need to update to get this. The old adapters work,
but they either require static keys in config or will dl key at startup.
Upgrade the server first, then adapters and remove keys from config at the
same time. Simple.

If we ignored keys in config that would have actually broken backwards
compatibility.

On 14 Nov 2016 06:58, "Jitendra Chouhan" <jitendrachouhan03 at gmail.com>
wrote:

> Hi,
>
> We have sample apps those are integrated with Keycloak-2.2.1, now we are
> migrating existing samples to keycloak-2.3.0.Final. We need to clarify few
> points regarding backward compatibility of keycloak adapters.
>
> We have Angular JS app and back-end app which uses keycloak JS and
> keycloak-spring-security adapter respectively. These apps are working fine
> with 2.2.1 in order to migrate from 2.2.1 and imported in 2.3.0 below
> listed actions has been performed.
>
> 1. Upgraded keycloak JS and keycloak-spring-security adapters to 2.3.0.
> 2. Exported existing realm from 2.2.1 and imported in 2.3.0 instance of
> keycloak.
> 3. We kept same keycloak.json file since we imported working configuration
> from 2.2.1 into 2.3.0.(verified all configurations are same)
>
> Upon verification found applications are working fine with 2.3.0 till key
> is not rotated. After key rotation applications are not working. But if
> download applications keycloak.json from 2.3.0 instance for apps,
> everything works fine.
>
> Does this means adapter is not backward compatible? As we know key rotation
> feature has been introduced in 2.3.0, in reference documentation stated
> likely adapter will query/refer public key and certificate from keycloak
> server instance.
>
> Our point, since we imported configuration from previous keycloak
> version(key is same), If applications are upgraded their adapters to 2.3.0
> and even kept old keycloak.json files in respective apps it should work(as
> per expectation adapter should refer keys/certs from keycloak server).
>
> Doesn't it make more sense keycloak-2.3 adapters should ignore(not read)
> public-key defined in application keycloak.json file and always refer from
> keycloak server. In this way application migration will be easier from one
> to another version of keycloak?
>
> Please do let me know if further information is needed.
>
> Thanks,
> Jitendra Chouhan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Mon Nov 14 03:02:53 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 14 Nov 2016 09:02:53 +0100
Subject: [keycloak-user] Step-Up Authentication
In-Reply-To: <CABtvq+j3LPsm9bHx5pEhTfvq6Wzdy2pmPbnWjmhxy+G5gNum_A@mail.gmail.com>
References: <CABtvq+j3LPsm9bHx5pEhTfvq6Wzdy2pmPbnWjmhxy+G5gNum_A@mail.gmail.com>
Message-ID: <e0f6c210-4553-6bef-5afa-c7dbde154a6a@redhat.com>

Right, we don't have step-up authentication OOTB right now.

In theory, you can implement some support of it by yourself, because we 
have Authentication SPI. So you can do the flow, which will somehow 
differ the required level of authentication (for example based on some 
request parameter) and then choose the authenticators based on the 
required level etc. But note that it likely won't be trivial to do this 
properly.

Marek

On 12/11/16 03:21, Nico Burbigh wrote:
> Hi Keycloak users, we have a requirment to provide step-up authentication.
> Looking at Keycloak server and its adapters, it appears there is no support
> for it out of the box.
>
> Also user group email
> http://lists.jboss.org/pipermail/keycloak-user/2016-April/005707.html
> suggests it will come at some stage later.
>
> Has anyone used keycloak to provide step up authentication?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From sthorger at redhat.com  Mon Nov 14 03:11:37 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 14 Nov 2016 09:11:37 +0100
Subject: [keycloak-user] automatic user cleanup with UserSessionProvider
	SPI
In-Reply-To: <582352a9.0130ed0a.10866.1713@mx.google.com>
References: <582352a9.0130ed0a.10866.1713@mx.google.com>
Message-ID: <CAJgngAdfhfpR3h0=PiFv3wLJnqydx4qROPfXomia0i3-smye7Q@mail.gmail.com>

Look at providers docs. You need to set your custom provider as the default
provider. Deleting users when session is deleted doesn't sound like a
brilliant idea though. Why do you want to do that?

On 9 Nov 2016 17:47, <schwartzbj17 at gmail.com> wrote:

> Is there a way using one of the service provider interfaces to
> automatically delete users when the user session expires?  I tried the
> UserSessionProvider, but am not sure how to install it and have Keycloak
> use it.  I tried installing it in the providers folder to no avail.   I
> tried installing it as a module to no avail.  Anyone have a working example
> of this provider?
>
> I?ve successfully built and installed other SPIs without issue, but those
> had working examples in the keycloak documentation and/or GitHub.
>
> I?m using Keycloak 2.3.0.Final
>
>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sthorger at redhat.com  Mon Nov 14 03:19:00 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 14 Nov 2016 09:19:00 +0100
Subject: [keycloak-user] How to configure an enterprise TLS secured mail
	server
In-Reply-To: <64ddc20e-d642-bf19-a51e-97c36784450c@tesicnor.com>
References: <64ddc20e-d642-bf19-a51e-97c36784450c@tesicnor.com>
Message-ID: <CAJgngAdTEyeZt_oEF-AtWqd9TdsQbfdQFcGse2hN-csM1qF2Rw@mail.gmail.com>

Adding to the JVM trust store should work and you can also configure a
separate trust store for Keycloak (check the installation guide).

On 14 Nov 2016 08:34, "Aritz Maeztu" <amaeztu at tesicnor.com> wrote:

> Hello everybody,
>
> I'm trying to configure keycloak to send its e-mails using our company's
> e-mail server. I have no problem doing it using a simple configuration
> (just username and password, no encryption). However, our mail server
> accepts TLS and we do use a custom certificate for it, but I don't know
> how to make the keycloak server trust it (I know I have to add it to the
> JVM trusted certificates, but how to do it in wildfly?). Every tuto I
> read is for configuring wildfly itself to use the certificate and enable
> SSL, but in this case wildfly would be the client. That's the error I
> get while trying to send the e-mail (SSL handshake):
>
> 18:02:59,903 ERROR [org.keycloak.services] (default task-4)
> KC-SERVICES0088: Fai
> led to send execute actions email: org.keycloak.email.EmailException:
> Failed to
> template email
>          at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:179)
>          at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:150)
>          at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExe
> cuteActions(FreeMarkerEmailTemplateProvider.java:133)
>          at
> org.keycloak.services.resources.admin.UsersResource.executeActionsEma
> il(UsersResource.java:855)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
> java:62)
>          at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
> sorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>          at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.
> java:139)
>          at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resource
> MethodInvoker.java:295)
>          at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodIn
> voker.java:249)
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
> esourceLocatorInvoker.java:138)
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
> Invoker.java:107)
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
> esourceLocatorInvoker.java:133)
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
> Invoker.java:107)
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(R
> esourceLocatorInvoker.java:133)
>          at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocator
> Invoker.java:101)
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
> tcher.java:395)
>          at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispa
> tcher.java:202)
>          at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
> ce(HttpServletDispatcher.java:56)
>          at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servi
> ce(HttpServletDispatcher.java:51)
>          at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>          at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHand
> ler.java:85)
>          at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
> ilterHandler.java:129)
>          at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(K
> eycloakSessionServletFilter.java:90)
>          at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60
> )
>          at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(F
> ilterHandler.java:131)
>          at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandle
> r.java:84)
>          at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.hand
> leRequest(ServletSecurityRoleHandler.java:62)
>          at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
>          at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHan
> dler.handleRequest(SecurityContextAssociationHandler.java:78)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
>          at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandle
> r.handleRequest(SSLInformationAssociationHandler.java:131)
>          at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandle
> r.handleRequest(ServletAuthenticationCallHandler.java:57)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
>          at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRe
> quest(AbstractConfidentialityHandler.java:46)
>          at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstrain
> tHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>          at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleR
> equest(AuthenticationMechanismsHandler.java:60)
>          at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandl
> er.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>          at
> io.undertow.security.handlers.NotificationReceiverHandler.handleReque
> st(NotificationReceiverHandler.java:50)
>          at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandl
> er.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
>          at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.han
> dleRequest(JACCContextIdHandler.java:61)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateH
> andler.java:43)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest
> (ServletInitialHandler.java:284)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Se
> rvletInitialHandler.java:263)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servlet
> InitialHandler.java:81)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Se
> rvletInitialHandler.java:174)
>          at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>          at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:7
> 93)
>          at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1142)
>          at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:617)
>          at java.lang.Thread.run(Thread.java:745)
> Caused by: org.keycloak.email.EmailException:
> javax.mail.MessagingException: Cou
> ld not convert socket to TLS;
>    nested exception is:
>          javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorExc
> eption: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBui
> lderException: unable to find valid certification path to requested target
>          at
> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
> Provider.java:127)
>          at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:185)
>          at
> org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(Fr
> eeMarkerEmailTemplateProvider.java:177)
>          ... 54 more
> Caused by: javax.mail.MessagingException: Could not convert socket to TLS;
>    nested exception is:
>          javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorExc
> eption: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBui
> lderException: unable to find valid certification path to requested target
>          at
> com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2046)
>          at
> com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:71
> 1)
>          at javax.mail.Service.connect(Service.java:366)
>          at javax.mail.Service.connect(Service.java:246)
>          at javax.mail.Service.connect(Service.java:267)
>          at
> org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSender
> Provider.java:120)
>          ... 56 more
> Caused by: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.Validator
> Exception: PKIX path building failed:
> sun.security.provider.certpath.SunCertPath
> BuilderException: unable to find valid certification path to requested
> target
>          at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>          at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>          at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>          at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>          at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> java:1509)
>          at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
> a:216)
>          at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
>          at sun.security.ssl.Handshaker.process_record(Handshaker.
> java:914)
>          at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>          at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
> java:1375)
>          at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403
> )
>          at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387
> )
>          at
> com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java
> :598)
>          at com.sun.mail.util.SocketFetcher.startTLS(
> SocketFetcher.java:525)
>          at
> com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2041)
>          ... 61 more
> Caused by: sun.security.validator.ValidatorException: PKIX path building
> failed:
>   sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find vali
> d certification path to requested target
>          at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>          at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
> a:292)
>          at sun.security.validator.Validator.validate(Validator.java:260)
>          at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
> ava:324)
>          at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
> pl.java:229)
>          at
> sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
> agerImpl.java:124)
>          at
> sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
> java:1491)
>          ... 71 more
> Caused by: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to
>   find valid certification path to requested target
>          at
> sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
> ilder.java:141)
>          at
> sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
> PathBuilder.java:126)
>          at
> java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
>          at
> sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
>          ... 77 more
>
>
> Any idea about this? Thanks!
>
>
> --
> Aritz Maeztu Ota?o
> Departamento Desarrollo de Software
> <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
> <http://www.tesicnor.com>
>
> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
> Telf. Aritz Maeztu: 948 68 03 06
> Telf. Secretar?a: 948 21 40 40
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
> medioambiente es cosa de todos.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Chris.Brandhorst at topicus.nl  Mon Nov 14 04:36:34 2016
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Mon, 14 Nov 2016 09:36:34 +0000
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <59b13778-0a5f-5058-8518-33397df413b3@redhat.com>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
	<A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
	<59b13778-0a5f-5058-8518-33397df413b3@redhat.com>
Message-ID: <C5C66B30-7851-4E4B-BC40-F1440A436AB0@topicus.nl>

Let?s forget about FOOBAR. From my JIRA ticket, I?m trying an IdP-initiated SSO from IdP A to
IdP B (after which we can do all sorts of things with the authenticators).

Stian called this a bug (set for 2.4.1.Final now), but it seems you?re saying this is not supported?
This causes me some confusion, can you clarify?

Thanks,
Chris

> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
> 
> So, you have Application FOOBAR which is secured by IDP 'B'.  You want 
> to register an IDP initiated SSO link on IDP 'A' that redirects to IDP 
> 'B' that redirects to Application FOOBAR?  That's not something we 
> support at the moment.
> 
> 
> 
> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>> Isn?t this like my question:
>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/007935.html
>> 
>> and bug report:
>> https://issues.jboss.org/browse/KEYCLOAK-3731
>> 
>> If you're trying to do IDP-initiated SSO starting from the external IDP,
>> that's not something we support.
>> It seems that that?s exactly what we are attempting. Why shouldn?t that be
>> supported and what does that mean for my bug report (which was already
>> worked on)?
>> 
>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bburke at redhat.com>> wrote:
>> 
>> So, you:
>> 
>> 1. visit the IDP-initiated SSO URL on keycloak
>> 
>> 2. Select an external IDP to login from on the Keycloak login page
>> 
>> 3. Login to the external IDP
>> 
>> 4. Failure?
>> 
>> Sounds like a bug.
>> 
>> If you're trying to do IDP-initiated SSO starting from the external IDP,
>> that's not something we support.
>> 
>> 
>> On 11/11/16 11:13 PM, Josh Cain wrote:
>> Hi all,
>> 
>> I'm attempting an IDP-initiated SSO (via unsolicited SAML Request)
>> against the Keycloak broker service.  However, it's failing every time
>> on the IdentityBrokerService.authenticated(..) method.  I get the
>> following error on the console:
>> 
>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>> staleCodeMessage
>> 
>> This method seems to think that clients should *always* visit the
>> Keycloak IDP before returning with a SAML assertion, a the failure to
>> retrieve an associated client session is causing a serious issue.  I am
>> able to successfully use the identity brokering functions if I use an
>> SP-initiated flow, so I know the brokering piece is configured
>> correctly.
>> 
>> Is this a limitation in the current implementation, or do I have
>> something configured incorrectly?
>> 
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> 
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jcain at redhat.com  Mon Nov 14 09:23:15 2016
From: jcain at redhat.com (Josh Cain)
Date: Mon, 14 Nov 2016 08:23:15 -0600
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <C5C66B30-7851-4E4B-BC40-F1440A436AB0@topicus.nl>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
	<A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
	<59b13778-0a5f-5058-8518-33397df413b3@redhat.com>
	<C5C66B30-7851-4E4B-BC40-F1440A436AB0@topicus.nl>
Message-ID: <1479133395.5096.2.camel@redhat.com>

@Chris - yep, exactly the same thing. ?Thanks for pointing me to the
right bug, I'll continue discussion there!
On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
> Let?s forget about FOOBAR. From my JIRA ticket, I?m trying an IdP-
> initiated SSO from IdP A to
> IdP B (after which we can do all sorts of things with the
> authenticators).
> 
> Stian called this a bug (set for 2.4.1.Final now), but it seems
> you?re saying this is not supported?
> This causes me some confusion, can you clarify?
> 
> Thanks,
> Chris
> 
> > 
> > On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
> > 
> > So, you have Application FOOBAR which is secured by IDP 'B'.??You
> > want?
> > to register an IDP initiated SSO link on IDP 'A' that redirects to
> > IDP?
> > 'B' that redirects to Application FOOBAR???That's not something we?
> > support at the moment.
> > 
> > 
> > 
> > On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> > > 
> > > Isn?t this like my question:
> > > http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793
> > > 5.html
> > > 
> > > and bug report:
> > > https://issues.jboss.org/browse/KEYCLOAK-3731
> > > 
> > > If you're trying to do IDP-initiated SSO starting from the
> > > external IDP,
> > > that's not something we support.
> > > It seems that that?s exactly what we are attempting. Why
> > > shouldn?t that be
> > > supported and what does that mean for my bug report (which was
> > > already
> > > worked on)?
> > > 
> > > On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bb
> > > urke at redhat.com>> wrote:
> > > 
> > > So, you:
> > > 
> > > 1. visit the IDP-initiated SSO URL on keycloak
> > > 
> > > 2. Select an external IDP to login from on the Keycloak login
> > > page
> > > 
> > > 3. Login to the external IDP
> > > 
> > > 4. Failure?
> > > 
> > > Sounds like a bug.
> > > 
> > > If you're trying to do IDP-initiated SSO starting from the
> > > external IDP,
> > > that's not something we support.
> > > 
> > > 
> > > On 11/11/16 11:13 PM, Josh Cain wrote:
> > > Hi all,
> > > 
> > > I'm attempting an IDP-initiated SSO (via unsolicited SAML
> > > Request)
> > > against the Keycloak broker service.??However, it's failing every
> > > time
> > > on the IdentityBrokerService.authenticated(..) method.??I get the
> > > following error on the console:
> > > 
> > > 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
> > > staleCodeMessage
> > > 
> > > This method seems to think that clients should *always* visit the
> > > Keycloak IDP before returning with a SAML assertion, a the
> > > failure to
> > > retrieve an associated client session is causing a serious
> > > issue.??I am
> > > able to successfully use the identity brokering functions if I
> > > use an
> > > SP-initiated flow, so I know the brokering piece is configured
> > > correctly.
> > > 
> > > Is this a limitation in the current implementation, or do I have
> > > something configured incorrectly?
> > > 
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
> > > g>
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bburke at redhat.com  Mon Nov 14 09:32:06 2016
From: bburke at redhat.com (Bill Burke)
Date: Mon, 14 Nov 2016 09:32:06 -0500
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <1479133395.5096.2.camel@redhat.com>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
	<A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
	<59b13778-0a5f-5058-8518-33397df413b3@redhat.com>
	<C5C66B30-7851-4E4B-BC40-F1440A436AB0@topicus.nl>
	<1479133395.5096.2.camel@redhat.com>
Message-ID: <eae4b1d7-3af9-16de-387f-c485c1685b73@redhat.com>

This is not a bug, its a feature request.  The IDP-SSO-Initiated link is 
not set up to process SAML requests.  I didn't even think that people 
would want to do a broker initiated sso.


On 11/14/16 9:23 AM, Josh Cain wrote:
> @Chris - yep, exactly the same thing.  Thanks for pointing me to the
> right bug, I'll continue discussion there!
> On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
>> Let?s forget about FOOBAR. From my JIRA ticket, I?m trying an IdP-
>> initiated SSO from IdP A to
>> IdP B (after which we can do all sorts of things with the
>> authenticators).
>>
>> Stian called this a bug (set for 2.4.1.Final now), but it seems
>> you?re saying this is not supported?
>> This causes me some confusion, can you clarify?
>>
>> Thanks,
>> Chris
>>
>>> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
>>>
>>> So, you have Application FOOBAR which is secured by IDP 'B'.  You
>>> want
>>> to register an IDP initiated SSO link on IDP 'A' that redirects to
>>> IDP
>>> 'B' that redirects to Application FOOBAR?  That's not something we
>>> support at the moment.
>>>
>>>
>>>
>>> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>>>> Isn?t this like my question:
>>>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793
>>>> 5.html
>>>>
>>>> and bug report:
>>>> https://issues.jboss.org/browse/KEYCLOAK-3731
>>>>
>>>> If you're trying to do IDP-initiated SSO starting from the
>>>> external IDP,
>>>> that's not something we support.
>>>> It seems that that?s exactly what we are attempting. Why
>>>> shouldn?t that be
>>>> supported and what does that mean for my bug report (which was
>>>> already
>>>> worked on)?
>>>>
>>>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bb
>>>> urke at redhat.com>> wrote:
>>>>
>>>> So, you:
>>>>
>>>> 1. visit the IDP-initiated SSO URL on keycloak
>>>>
>>>> 2. Select an external IDP to login from on the Keycloak login
>>>> page
>>>>
>>>> 3. Login to the external IDP
>>>>
>>>> 4. Failure?
>>>>
>>>> Sounds like a bug.
>>>>
>>>> If you're trying to do IDP-initiated SSO starting from the
>>>> external IDP,
>>>> that's not something we support.
>>>>
>>>>
>>>> On 11/11/16 11:13 PM, Josh Cain wrote:
>>>> Hi all,
>>>>
>>>> I'm attempting an IDP-initiated SSO (via unsolicited SAML
>>>> Request)
>>>> against the Keycloak broker service.  However, it's failing every
>>>> time
>>>> on the IdentityBrokerService.authenticated(..) method.  I get the
>>>> following error on the console:
>>>>
>>>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>>>> staleCodeMessage
>>>>
>>>> This method seems to think that clients should *always* visit the
>>>> Keycloak IDP before returning with a SAML assertion, a the
>>>> failure to
>>>> retrieve an associated client session is causing a serious
>>>> issue.  I am
>>>> able to successfully use the identity brokering functions if I
>>>> use an
>>>> SP-initiated flow, so I know the brokering piece is configured
>>>> correctly.
>>>>
>>>> Is this a limitation in the current implementation, or do I have
>>>> something configured incorrectly?
>>>>
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>>>> g>
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From Chris.Brandhorst at topicus.nl  Mon Nov 14 09:50:07 2016
From: Chris.Brandhorst at topicus.nl (Chris Brandhorst)
Date: Mon, 14 Nov 2016 14:50:07 +0000
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <eae4b1d7-3af9-16de-387f-c485c1685b73@redhat.com>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
	<A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
	<59b13778-0a5f-5058-8518-33397df413b3@redhat.com>
	<C5C66B30-7851-4E4B-BC40-F1440A436AB0@topicus.nl>
	<1479133395.5096.2.camel@redhat.com>
	<eae4b1d7-3af9-16de-387f-c485c1685b73@redhat.com>
Message-ID: <AC14F742-6F12-4E85-B48B-90E9709E5200@topicus.nl>

Well, it seems we do :-)

In our case we have an existing desktop application with its own user management
(IdP A) which posts signed SAML responses to our webapplication.

We would like to migrate to an IdP setup using KeyCloak, with our webapplication
as a client of KeyCloak (IdP B). Since IdP A is a desktop application, only the IdP-
initiated flow is viable.


> On 14 Nov 2016, at 15:32, Bill Burke <bburke at redhat.com> wrote:
> 
> This is not a bug, its a feature request.  The IDP-SSO-Initiated link is 
> not set up to process SAML requests.  I didn't even think that people 
> would want to do a broker initiated sso.
> 
> 
> On 11/14/16 9:23 AM, Josh Cain wrote:
>> @Chris - yep, exactly the same thing.  Thanks for pointing me to the
>> right bug, I'll continue discussion there!
>> On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
>>> Let?s forget about FOOBAR. From my JIRA ticket, I?m trying an IdP-
>>> initiated SSO from IdP A to
>>> IdP B (after which we can do all sorts of things with the
>>> authenticators).
>>> 
>>> Stian called this a bug (set for 2.4.1.Final now), but it seems
>>> you?re saying this is not supported?
>>> This causes me some confusion, can you clarify?
>>> 
>>> Thanks,
>>> Chris
>>> 
>>>> On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com> wrote:
>>>> 
>>>> So, you have Application FOOBAR which is secured by IDP 'B'.  You
>>>> want
>>>> to register an IDP initiated SSO link on IDP 'A' that redirects to
>>>> IDP
>>>> 'B' that redirects to Application FOOBAR?  That's not something we
>>>> support at the moment.
>>>> 
>>>> 
>>>> 
>>>> On 11/13/16 9:16 AM, Chris Brandhorst wrote:
>>>>> Isn?t this like my question:
>>>>> http://lists.jboss.org/pipermail/keycloak-user/2016-October/00793
>>>>> 5.html
>>>>> 
>>>>> and bug report:
>>>>> https://issues.jboss.org/browse/KEYCLOAK-3731
>>>>> 
>>>>> If you're trying to do IDP-initiated SSO starting from the
>>>>> external IDP,
>>>>> that's not something we support.
>>>>> It seems that that?s exactly what we are attempting. Why
>>>>> shouldn?t that be
>>>>> supported and what does that mean for my bug report (which was
>>>>> already
>>>>> worked on)?
>>>>> 
>>>>> On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mailto:bb
>>>>> urke at redhat.com>> wrote:
>>>>> 
>>>>> So, you:
>>>>> 
>>>>> 1. visit the IDP-initiated SSO URL on keycloak
>>>>> 
>>>>> 2. Select an external IDP to login from on the Keycloak login
>>>>> page
>>>>> 
>>>>> 3. Login to the external IDP
>>>>> 
>>>>> 4. Failure?
>>>>> 
>>>>> Sounds like a bug.
>>>>> 
>>>>> If you're trying to do IDP-initiated SSO starting from the
>>>>> external IDP,
>>>>> that's not something we support.
>>>>> 
>>>>> 
>>>>> On 11/11/16 11:13 PM, Josh Cain wrote:
>>>>> Hi all,
>>>>> 
>>>>> I'm attempting an IDP-initiated SSO (via unsolicited SAML
>>>>> Request)
>>>>> against the Keycloak broker service.  However, it's failing every
>>>>> time
>>>>> on the IdentityBrokerService.authenticated(..) method.  I get the
>>>>> following error on the console:
>>>>> 
>>>>> 22:05:04,945 ERROR [org.keycloak.services] (default task-61)
>>>>> staleCodeMessage
>>>>> 
>>>>> This method seems to think that clients should *always* visit the
>>>>> Keycloak IDP before returning with a SAML assertion, a the
>>>>> failure to
>>>>> retrieve an associated client session is causing a serious
>>>>> issue.  I am
>>>>> able to successfully use the identity brokering functions if I
>>>>> use an
>>>>> SP-initiated flow, so I know the brokering piece is configured
>>>>> correctly.
>>>>> 
>>>>> Is this a limitation in the current implementation, or do I have
>>>>> something configured incorrectly?
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.or
>>>>> g>
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> 
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jcain at redhat.com  Mon Nov 14 10:59:50 2016
From: jcain at redhat.com (Josh Cain)
Date: Mon, 14 Nov 2016 09:59:50 -0600
Subject: [keycloak-user] Is An IDP - Initiated SSO to Broker Possible?
In-Reply-To: <AC14F742-6F12-4E85-B48B-90E9709E5200@topicus.nl>
References: <1478924002.7776.4.camel@redhat.com>
	<5c5a9138-e73b-8e62-0c6f-d2033f28975f@redhat.com>
	<A5CAB4CE-5041-447E-8300-486EA1153FE7@topicus.nl>
	<59b13778-0a5f-5058-8518-33397df413b3@redhat.com>
	<C5C66B30-7851-4E4B-BC40-F1440A436AB0@topicus.nl>
	<1479133395.5096.2.camel@redhat.com>
	<eae4b1d7-3af9-16de-387f-c485c1685b73@redhat.com>
	<AC14F742-6F12-4E85-B48B-90E9709E5200@topicus.nl>
Message-ID: <1479139190.5096.6.camel@redhat.com>

Real-world use-case:

Folks are managing Red Hat VM's on Microsoft's Azure platform, and they
need to SSO over th Red Hat for support (Via support link on VM
management console). ?Microsoft initiates the SSO to the Red Hat broker
from the Azure console.

https://azure.microsoft.com/en-in/blog/red-hat-customer-portal-from-azu
re/
On Mon, 2016-11-14 at 14:50 +0000, Chris Brandhorst wrote:
> Well, it seems we do :-)
> 
> In our case we have an existing desktop application with its own user
> management
> (IdP A) which posts signed SAML responses to our webapplication.
> 
> We would like to migrate to an IdP setup using KeyCloak, with our
> webapplication
> as a client of KeyCloak (IdP B). Since IdP A is a desktop
> application, only the IdP-
> initiated flow is viable.
> 
> 
> > 
> > On 14 Nov 2016, at 15:32, Bill Burke <bburke at redhat.com> wrote:
> > 
> > This is not a bug, its a feature request.??The IDP-SSO-Initiated
> > link is?
> > not set up to process SAML requests.??I didn't even think that
> > people?
> > would want to do a broker initiated sso.
> > 
> > 
> > On 11/14/16 9:23 AM, Josh Cain wrote:
> > > 
> > > @Chris - yep, exactly the same thing.??Thanks for pointing me to
> > > the
> > > right bug, I'll continue discussion there!
> > > On Mon, 2016-11-14 at 09:36 +0000, Chris Brandhorst wrote:
> > > > 
> > > > Let?s forget about FOOBAR. From my JIRA ticket, I?m trying an
> > > > IdP-
> > > > initiated SSO from IdP A to
> > > > IdP B (after which we can do all sorts of things with the
> > > > authenticators).
> > > > 
> > > > Stian called this a bug (set for 2.4.1.Final now), but it seems
> > > > you?re saying this is not supported?
> > > > This causes me some confusion, can you clarify?
> > > > 
> > > > Thanks,
> > > > Chris
> > > > 
> > > > > 
> > > > > On 13 Nov 2016, at 15:49, Bill Burke <bburke at redhat.com>
> > > > > wrote:
> > > > > 
> > > > > So, you have Application FOOBAR which is secured by IDP
> > > > > 'B'.??You
> > > > > want
> > > > > to register an IDP initiated SSO link on IDP 'A' that
> > > > > redirects to
> > > > > IDP
> > > > > 'B' that redirects to Application FOOBAR???That's not
> > > > > something we
> > > > > support at the moment.
> > > > > 
> > > > > 
> > > > > 
> > > > > On 11/13/16 9:16 AM, Chris Brandhorst wrote:
> > > > > > 
> > > > > > Isn?t this like my question:
> > > > > > http://lists.jboss.org/pipermail/keycloak-user/2016-October
> > > > > > /00793
> > > > > > 5.html
> > > > > > 
> > > > > > and bug report:
> > > > > > https://issues.jboss.org/browse/KEYCLOAK-3731
> > > > > > 
> > > > > > If you're trying to do IDP-initiated SSO starting from the
> > > > > > external IDP,
> > > > > > that's not something we support.
> > > > > > It seems that that?s exactly what we are attempting. Why
> > > > > > shouldn?t that be
> > > > > > supported and what does that mean for my bug report (which
> > > > > > was
> > > > > > already
> > > > > > worked on)?
> > > > > > 
> > > > > > On 13 Nov 2016, at 15:06, Bill Burke <bburke at redhat.com<mai
> > > > > > lto:bb
> > > > > > urke at redhat.com>> wrote:
> > > > > > 
> > > > > > So, you:
> > > > > > 
> > > > > > 1. visit the IDP-initiated SSO URL on keycloak
> > > > > > 
> > > > > > 2. Select an external IDP to login from on the Keycloak
> > > > > > login
> > > > > > page
> > > > > > 
> > > > > > 3. Login to the external IDP
> > > > > > 
> > > > > > 4. Failure?
> > > > > > 
> > > > > > Sounds like a bug.
> > > > > > 
> > > > > > If you're trying to do IDP-initiated SSO starting from the
> > > > > > external IDP,
> > > > > > that's not something we support.
> > > > > > 
> > > > > > 
> > > > > > On 11/11/16 11:13 PM, Josh Cain wrote:
> > > > > > Hi all,
> > > > > > 
> > > > > > I'm attempting an IDP-initiated SSO (via unsolicited SAML
> > > > > > Request)
> > > > > > against the Keycloak broker service.??However, it's failing
> > > > > > every
> > > > > > time
> > > > > > on the IdentityBrokerService.authenticated(..) method.??I
> > > > > > get the
> > > > > > following error on the console:
> > > > > > 
> > > > > > 22:05:04,945 ERROR [org.keycloak.services] (default task-
> > > > > > 61)
> > > > > > staleCodeMessage
> > > > > > 
> > > > > > This method seems to think that clients should *always*
> > > > > > visit the
> > > > > > Keycloak IDP before returning with a SAML assertion, a the
> > > > > > failure to
> > > > > > retrieve an associated client session is causing a serious
> > > > > > issue.??I am
> > > > > > able to successfully use the identity brokering functions
> > > > > > if I
> > > > > > use an
> > > > > > SP-initiated flow, so I know the brokering piece is
> > > > > > configured
> > > > > > correctly.
> > > > > > 
> > > > > > Is this a limitation in the current implementation, or do I
> > > > > > have
> > > > > > something configured incorrectly?
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jb
> > > > > > oss.or
> > > > > > g>
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > > 
> > > > > > _______________________________________________
> > > > > > keycloak-user mailing list
> > > > > > keycloak-user at lists.jboss.org
> > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From schwartzbj17 at gmail.com  Mon Nov 14 11:06:29 2016
From: schwartzbj17 at gmail.com (Brian Schwartz)
Date: Mon, 14 Nov 2016 10:06:29 -0600
Subject: [keycloak-user] automatic user cleanup with UserSessionProvider
	SPI
In-Reply-To: <CAJgngAdfhfpR3h0=PiFv3wLJnqydx4qROPfXomia0i3-smye7Q@mail.gmail.com>
References: <582352a9.0130ed0a.10866.1713@mx.google.com>
	<CAJgngAdfhfpR3h0=PiFv3wLJnqydx4qROPfXomia0i3-smye7Q@mail.gmail.com>
Message-ID: <CAFQrzZAKwJFRoVEw-3Oz3g16kbV7m9owRAbBNjgWpOUNzriapw@mail.gmail.com>

The "why" is a long story.  Out of my control.
I followed the docs and wasn't able to get it working.  I will get back to
it soon and report back with details.

Thanks for the reply.

On Nov 14, 2016 2:11 AM, "Stian Thorgersen" <sthorger at redhat.com> wrote:

> Look at providers docs. You need to set your custom provider as the
> default provider. Deleting users when session is deleted doesn't sound like
> a brilliant idea though. Why do you want to do that?
>
> On 9 Nov 2016 17:47, <schwartzbj17 at gmail.com> wrote:
>
>> Is there a way using one of the service provider interfaces to
>> automatically delete users when the user session expires?  I tried the
>> UserSessionProvider, but am not sure how to install it and have Keycloak
>> use it.  I tried installing it in the providers folder to no avail.   I
>> tried installing it as a module to no avail.  Anyone have a working example
>> of this provider?
>>
>> I?ve successfully built and installed other SPIs without issue, but those
>> had working examples in the keycloak documentation and/or GitHub.
>>
>> I?m using Keycloak 2.3.0.Final
>>
>>
>>
>>
>> ---
>> This email has been checked for viruses by Avast antivirus software.
>> https://www.avast.com/antivirus
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From jarekala at axway.com  Mon Nov 14 13:30:01 2016
From: jarekala at axway.com (Jagannadha Rekala)
Date: Mon, 14 Nov 2016 18:30:01 +0000
Subject: [keycloak-user] Keycloak custom theme auto selection
Message-ID: <DB3PR01MB378EE0775F64281EB88DE50D8BC0@DB3PR01MB378.eurprd01.prod.exchangelabs.com>

All,


Trying to see if there is a way I can select my custom theme as the login theme for my realm as soon as Keycloak starts. I know how to create the theme and manually select via administration console. I am looking for any help in terms of CLI instead of json config import or manual theme selection via Administration Console or if there is any better approach.


Thanks,

Jagan

From colin.ritchie at tasktop.com  Mon Nov 14 14:47:35 2016
From: colin.ritchie at tasktop.com (Colin Ritchie)
Date: Mon, 14 Nov 2016 11:47:35 -0800
Subject: [keycloak-user] My KEYCLOAK_SESSION cookie is always wrong
Message-ID: <CAOHOMB-SPkhahHTRAvSPUBCjXBBL1ECNF17GM_3abAqZmOnHRw@mail.gmail.com>

Hello,

I am running keycloak behind an reverse proxy.  After I log in, when
visiting the keycloak admin, the page refreshes every 5 seconds.  It
appears to be because my session cookie does not match the expected
KEYCLOAK_SESSION value in the server response.

When I monitor the traffic between the browser and keycloak, the cookie
sent to keycloak matches the cookie in the response.

When I put a breakpoint in the login.status.iframe.html getCookie() method,
I see the desired cookie with the incorrect name
"!Proxy!clusterProxyKEYCLOAK_SESSION", and I sometimes see a an invalid
cookie with the correct name "KEYCLOAK_SESSION".

example:
"
!Proxy!clusterProxyKEYCLOAK_SESSION=master/127ff890-6fde-47f5-8a81-039c67d0a261/c7b9427b-eb59-4b2a-8b3c-f8436c130613"

Does anyone know what is happening here?

-- 
*Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*

From hmlnarik at redhat.com  Tue Nov 15 02:42:03 2016
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 15 Nov 2016 08:42:03 +0100
Subject: [keycloak-user] NPE - logout
In-Reply-To: <329bacbc7cfa1b81be24d20eee883c1a.squirrel@neposoft.com>
References: <329bacbc7cfa1b81be24d20eee883c1a.squirrel@neposoft.com>
Message-ID: <CAMvXD=GR=GZ6H3RpkoEAAdAjzjmZjXa7h9fb4QqzZJ9kXrW03Q@mail.gmail.com>

Please create JIRA for this issue.

--Hynek

On Wed, Nov 9, 2016 at 5:43 PM, java_os <java at neposoft.com> wrote:

> Hi - nullppointer on logout call
> 2.2.1.Final and 2.3.0.Final - Nullpointer when logging out using
> keycloak.js (setup: Ng(keycloak.js) -> Rest. Idp login through KC identity
> brokering to saml).
> Below is the stacktrace - how do I logout from the SAML bridge? login
> works.
> ------------read NPE at the bottom ---
> Anyone experienced this? It's happening on logout:
>
> 11:32:55,052 ERROR [io.undertow.request] (default task-9) UT005023:
> Exception handling request to
> /auth/realms/EDITED/protocol/openid-connect/logout:
> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
> java.lang.NullPointerException
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
> ExceptionHandler.java:76)
>         at
> org.jboss.resteasy.core.ExceptionHandler.handleException(
> ExceptionHandler.java:212)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.writeException(
> SynchronousDispatcher.java:168)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:411)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:202)
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
> service(ServletContainerDispatcher.java:221)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:56)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
> HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(
> ServletHandler.java:85)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:129)
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
> KeycloakSessionServletFilter.java:90)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
> doFilter(FilterHandler.java:131)
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(
> FilterHandler.java:84)
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
> handleRequest(ServletSecurityRoleHandler.java:62)
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
> ServletDispatchingHandler.java:36)
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
> ler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
> er.handleRequest(SSLInformationAssociationHandler.java:131)
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
> er.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler
> .handleRequest(AbstractConfidentialityHandler.java:46)
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandle
> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>         at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
> NotificationReceiverHandler.java:50)
>         at
> io.undertow.security.handlers.AbstractSecurityContextAssocia
> tionHandler.handleRequest(AbstractSecurityContextAssocia
> tionHandler.java:43)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
> handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(
> PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
> ServletInitialHandler.java:284)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
> ServletInitialHandler.java:263)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$
> 000(ServletInitialHandler.java:81)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
> ServletInitialHandler.java:174)
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1142)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:617)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
>         at
> org.keycloak.broker.saml.SAMLIdentityProvider.
> keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:180)
>         at
> org.keycloak.services.managers.AuthenticationManager.browserLogout(
> AuthenticationManager.java:254)
>         at
> org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.
> logout(LogoutEndpoint.java:142)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
> 62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(
> MethodInjectorImpl.java:139)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
> ResourceMethodInvoker.java:295)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
> ResourceMethodInvoker.java:249)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:138)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:107)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
> ResourceLocatorInvoker.java:133)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
> ResourceLocatorInvoker.java:101)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
> SynchronousDispatcher.java:395)
>         ... 37 more
> Caused by: java.lang.NullPointerException
>         at java.net.URI$Parser.parse(URI.java:3042)
>         at java.net.URI.<init>(URI.java:588)
>         at java.net.URI.create(URI.java:850)
>         at
> org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(
> SAML2LogoutRequestBuilder.java:89)
>         at
> org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(
> SAML2LogoutRequestBuilder.java:78)
>         at
> org.keycloak.broker.saml.SAMLIdentityProvider.
> keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178)
>         ... 51 more
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 

--Hynek

From sthorger at redhat.com  Tue Nov 15 06:27:11 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 15 Nov 2016 12:27:11 +0100
Subject: [keycloak-user] My KEYCLOAK_SESSION cookie is always wrong
In-Reply-To: <CAOHOMB-SPkhahHTRAvSPUBCjXBBL1ECNF17GM_3abAqZmOnHRw@mail.gmail.com>
References: <CAOHOMB-SPkhahHTRAvSPUBCjXBBL1ECNF17GM_3abAqZmOnHRw@mail.gmail.com>
Message-ID: <CAJgngAdZ3xKHpopZfsAt1sTGz3h4NQ3ahoDKOUrh9gaMZNHhvw@mail.gmail.com>

Looks like your reverse proxy is for some reason messing with the cookies

On 14 November 2016 at 20:47, Colin Ritchie <colin.ritchie at tasktop.com>
wrote:

> Hello,
>
> I am running keycloak behind an reverse proxy.  After I log in, when
> visiting the keycloak admin, the page refreshes every 5 seconds.  It
> appears to be because my session cookie does not match the expected
> KEYCLOAK_SESSION value in the server response.
>
> When I monitor the traffic between the browser and keycloak, the cookie
> sent to keycloak matches the cookie in the response.
>
> When I put a breakpoint in the login.status.iframe.html getCookie() method,
> I see the desired cookie with the incorrect name
> "!Proxy!clusterProxyKEYCLOAK_SESSION", and I sometimes see a an invalid
> cookie with the correct name "KEYCLOAK_SESSION".
>
> example:
> "
> !Proxy!clusterProxyKEYCLOAK_SESSION=master/127ff890-6fde-
> 47f5-8a81-039c67d0a261/c7b9427b-eb59-4b2a-8b3c-f8436c130613"
>
> Does anyone know what is happening here?
>
> --
> *Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Nov 15 06:33:13 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 15 Nov 2016 12:33:13 +0100
Subject: [keycloak-user] Keycloak custom theme auto selection
In-Reply-To: <DB3PR01MB378EE0775F64281EB88DE50D8BC0@DB3PR01MB378.eurprd01.prod.exchangelabs.com>
References: <DB3PR01MB378EE0775F64281EB88DE50D8BC0@DB3PR01MB378.eurprd01.prod.exchangelabs.com>
Message-ID: <CAJgngAcCiPDjBg12uhLUZJt-1LCjM93GNOSZPL3m-sUMcv=XdQ@mail.gmail.com>

We are planning to introduce a admin CLI soon, but it will require the
server to be running as it's using the rest endpoints. You can also call
the admin rest endpoints yourself in the mean time.

On 14 November 2016 at 19:30, Jagannadha Rekala <jarekala at axway.com> wrote:

> All,
>
>
> Trying to see if there is a way I can select my custom theme as the login
> theme for my realm as soon as Keycloak starts. I know how to create the
> theme and manually select via administration console. I am looking for any
> help in terms of CLI instead of json config import or manual theme
> selection via Administration Console or if there is any better approach.
>
>
> Thanks,
>
> Jagan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Tue Nov 15 06:34:34 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 15 Nov 2016 12:34:34 +0100
Subject: [keycloak-user] automatic user cleanup with UserSessionProvider
	SPI
In-Reply-To: <CAFQrzZAKwJFRoVEw-3Oz3g16kbV7m9owRAbBNjgWpOUNzriapw@mail.gmail.com>
References: <582352a9.0130ed0a.10866.1713@mx.google.com>
	<CAJgngAdfhfpR3h0=PiFv3wLJnqydx4qROPfXomia0i3-smye7Q@mail.gmail.com>
	<CAFQrzZAKwJFRoVEw-3Oz3g16kbV7m9owRAbBNjgWpOUNzriapw@mail.gmail.com>
Message-ID: <CAJgngAepqFvRj0Rqg1FTM-GZ7931n5_JKTZi-e3X79WY6TkE=w@mail.gmail.com>

I'm asking for the why to see if you have a use-case that we should
consider.

Should be pretty simple. Create a custom user session provider, then set it
in standalone.xml as the default for the userSession SPI.

On 14 November 2016 at 17:06, Brian Schwartz <schwartzbj17 at gmail.com> wrote:

> The "why" is a long story.  Out of my control.
> I followed the docs and wasn't able to get it working.  I will get back to
> it soon and report back with details.
>
> Thanks for the reply.
>
> On Nov 14, 2016 2:11 AM, "Stian Thorgersen" <sthorger at redhat.com> wrote:
>
>> Look at providers docs. You need to set your custom provider as the
>> default provider. Deleting users when session is deleted doesn't sound like
>> a brilliant idea though. Why do you want to do that?
>>
>> On 9 Nov 2016 17:47, <schwartzbj17 at gmail.com> wrote:
>>
>>> Is there a way using one of the service provider interfaces to
>>> automatically delete users when the user session expires?  I tried the
>>> UserSessionProvider, but am not sure how to install it and have Keycloak
>>> use it.  I tried installing it in the providers folder to no avail.   I
>>> tried installing it as a module to no avail.  Anyone have a working example
>>> of this provider?
>>>
>>> I?ve successfully built and installed other SPIs without issue, but
>>> those had working examples in the keycloak documentation and/or GitHub.
>>>
>>> I?m using Keycloak 2.3.0.Final
>>>
>>>
>>>
>>>
>>> ---
>>> This email has been checked for viruses by Avast antivirus software.
>>> https://www.avast.com/antivirus
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>

From sthorger at redhat.com  Tue Nov 15 06:35:25 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 15 Nov 2016 12:35:25 +0100
Subject: [keycloak-user] How to generate Realm Keys via rest API?
In-Reply-To: <AM5PR0701MB2530D8AA943B8C462D877FB8F4BD0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB2530D8AA943B8C462D877FB8F4BD0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <CAJgngAfzBEETHMQEQXBP_EQpEm-dxuyP+2nmP2ypHpNZJ6syMA@mail.gmail.com>

It's using the component storage endpoints. Simplest way to figure it out
is to use the web console to look at what requests are sent from the admin
console.

On 13 November 2016 at 14:14, Michael Furman <michael_furman at hotmail.com>
wrote:

> I was able to generate the new keypair via UI:
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/realms/keys.html
> Now I want to do it via Rest API but can find only GET method:
> http://www.keycloak.org/docs/rest-api/#_get_admin_realms_realm_keys
> How to generate Realm Keys via rest API?
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From nbquinns at gmail.com  Tue Nov 15 07:22:31 2016
From: nbquinns at gmail.com (Nico Burbigh)
Date: Tue, 15 Nov 2016 22:22:31 +1000
Subject: [keycloak-user] Step-Up Authentication
In-Reply-To: <e0f6c210-4553-6bef-5afa-c7dbde154a6a@redhat.com>
References: <CABtvq+j3LPsm9bHx5pEhTfvq6Wzdy2pmPbnWjmhxy+G5gNum_A@mail.gmail.com>
	<e0f6c210-4553-6bef-5afa-c7dbde154a6a@redhat.com>
Message-ID: <CABtvq+jz_ompO3bZhUR8_7id9zjB+SazCHgDYWjSUYa_PWKDAQ@mail.gmail.com>

Hi Marek, would you think that the level of authentication should be stored
in the access token or rather as a separate cookie in the SSO server
context? I think it also requires some thoughts around triggering the MFA
on the adapter side.

On Mon, Nov 14, 2016 at 6:02 PM, Marek Posolda <mposolda at redhat.com> wrote:

> Right, we don't have step-up authentication OOTB right now.
>
> In theory, you can implement some support of it by yourself, because we
> have Authentication SPI. So you can do the flow, which will somehow differ
> the required level of authentication (for example based on some request
> parameter) and then choose the authenticators based on the required level
> etc. But note that it likely won't be trivial to do this properly.
>
> Marek
>
>
> On 12/11/16 03:21, Nico Burbigh wrote:
>
>> Hi Keycloak users, we have a requirment to provide step-up authentication.
>> Looking at Keycloak server and its adapters, it appears there is no
>> support
>> for it out of the box.
>>
>> Also user group email
>> http://lists.jboss.org/pipermail/keycloak-user/2016-April/005707.html
>> suggests it will come at some stage later.
>>
>> Has anyone used keycloak to provide step up authentication?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From scott at morgiij.com  Tue Nov 15 09:47:52 2016
From: scott at morgiij.com (Scott Corscadden)
Date: Tue, 15 Nov 2016 09:47:52 -0500
Subject: [keycloak-user] Keycloak & API for users to create their own
	accounts (from iOS)
Message-ID: <D8B5F059-7ADA-4A48-BDD7-2402920478D9@morgiij.com>

Hello everyone. Fairly new to the list and the Keycloak technology, so I appreciate your patience. I dislike cross-posting, so I have *not* added  aerogear-users at lists.jboss.org <mailto:aerogear-users at lists.jboss.org>, but suspect I?ll need some input from that side as well. Corinne, I have added you as I suspect you?d be able to decide if I should CC it in. The background:

I?d like to use a Keycloak (2.3.0) deployed instance to abstract user account management, including Facebook/Google/LinkedIn/etc Identity providers. I?ve been able to set up this instance & link it to Facebook without too much trouble; I can log into the keycloak website as a Facebook user. Nginx is being used as the SSL reverse proxy.
The primary ?client? is an iOS application, which needs to read graph information from said providers if available. I?ve been able to find a swift 3 fork of the wonderful "aerogear-ios-oauth2? library. A minor change to not assume the Bundle Id can be used as the redirectURL protocol (mine contains dots and dashes, which seems to cause the server to reject with ?invalid redirect_url?) and hooray! I can authenticate against Facebook-into-keycloak, receive an Authorization Code, and ?exchangeAuthorizationCodeForAccessToken? successfully.

The two problems I am trying to solve (I?ve been trying to find documentation but may be miserably bad at finding it):

Ideally I?m only asking keycloak for graph information (name, address, etc). Thus I *suspect* this is what the ?Mappers? section is needed per Identity Provider? Is that right, or not necessary?
The iOS app will have a native ?Create account? screen with native Email & Password fields. I?d like to make either an Oauth2 call, or HTTPS POST call to keycloak to do that. I do see the ?Create a new user <http://www.keycloak.org/docs/rest-api/index.html#_create_a_new_user>? link, but so far I only see a ?temporary password? api. Obviously I could use a native WebView and fill the fields manually but that doesn?t feel quite right. 

Any suggestions here are very, very welcome, and thanks for reading this far. 

I?m very impressed so far with both keycloak and the aerogear Oauth2 library.

./scc

From java at neposoft.com  Tue Nov 15 11:21:27 2016
From: java at neposoft.com (java_os)
Date: Tue, 15 Nov 2016 11:21:27 -0500
Subject: [keycloak-user] NPE - logout
In-Reply-To: <CAMvXD=GR=GZ6H3RpkoEAAdAjzjmZjXa7h9fb4QqzZJ9kXrW03Q@mail.gmail.com>
References: <329bacbc7cfa1b81be24d20eee883c1a.squirrel@neposoft.com>
	<CAMvXD=GR=GZ6H3RpkoEAAdAjzjmZjXa7h9fb4QqzZJ9kXrW03Q@mail.gmail.com>
Message-ID: <4d8e2fac3cef9d6c0ada94aed7429002.squirrel@neposoft.com>

we're talking npe on KC brokering idp.
To get this working I had to turn ON the the "Backchannel Logout " for the
 Idp provider settings.
It does not matter if "Single Logout Service URL" has a value or not it
still works.
I think backchannel stuff kills the browser's sso session.
Does this mean that user is still logged into Idp?
How do we force KC tell Idp to logout when we logout from KC?
The setting on ""Single Logout Service URL" does not trigger that as I was
expecting it should.
But surely this is a bug and KC should not get into NPE if that feature is
OFF - will openup a jira.
thx

> Please create JIRA for this issue.
>
> --Hynek
>
> On Wed, Nov 9, 2016 at 5:43 PM, java_os <java at neposoft.com> wrote:
>
>> Hi - nullppointer on logout call
>> 2.2.1.Final and 2.3.0.Final - Nullpointer when logging out using
>> keycloak.js (setup: Ng(keycloak.js) -> Rest. Idp login through KC
>> identity
>> brokering to saml).
>> Below is the stacktrace - how do I logout from the SAML bridge? login
>> works.
>> ------------read NPE at the bottom ---
>> Anyone experienced this? It's happening on logout:
>>
>> 11:32:55,052 ERROR [io.undertow.request] (default task-9) UT005023:
>> Exception handling request to
>> /auth/realms/EDITED/protocol/openid-connect/logout:
>> org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException:
>> java.lang.NullPointerException
>>         at
>> org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(
>> ExceptionHandler.java:76)
>>         at
>> org.jboss.resteasy.core.ExceptionHandler.handleException(
>> ExceptionHandler.java:212)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.writeException(
>> SynchronousDispatcher.java:168)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:411)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:202)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.
>> service(ServletContainerDispatcher.java:221)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
>> HttpServletDispatcher.java:56)
>>         at
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(
>> HttpServletDispatcher.java:51)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>         at
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(
>> ServletHandler.java:85)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:129)
>>         at
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(
>> KeycloakSessionServletFilter.java:90)
>>         at
>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>         at
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.
>> doFilter(FilterHandler.java:131)
>>         at
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(
>> FilterHandler.java:84)
>>         at
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.
>> handleRequest(ServletSecurityRoleHandler.java:62)
>>         at
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(
>> ServletDispatchingHandler.java:36)
>>         at
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHand
>> ler.handleRequest(SecurityContextAssociationHandler.java:78)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>>         at
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandl
>> er.handleRequest(SSLInformationAssociationHandler.java:131)
>>         at
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl
>> er.handleRequest(ServletAuthenticationCallHandler.java:57)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>>         at
>> io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>         at
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstrai
>> ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>         at
>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>         at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand
>> ler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>         at
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(
>> NotificationReceiverHandler.java:50)
>>         at
>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssocia
>> tionHandler.java:43)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>>         at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.
>> handleRequest(JACCContextIdHandler.java:61)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>>         at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(
>> PredicateHandler.java:43)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(
>> ServletInitialHandler.java:284)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(
>> ServletInitialHandler.java:263)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$
>> 000(ServletInitialHandler.java:81)
>>         at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(
>> ServletInitialHandler.java:174)
>>         at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>         at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>         at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(
>> ThreadPoolExecutor.java:1142)
>>         at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(
>> ThreadPoolExecutor.java:617)
>>         at java.lang.Thread.run(Thread.java:745)
>> Caused by: java.lang.RuntimeException: java.lang.NullPointerException
>>         at
>> org.keycloak.broker.saml.SAMLIdentityProvider.
>> keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:180)
>>         at
>> org.keycloak.services.managers.AuthenticationManager.browserLogout(
>> AuthenticationManager.java:254)
>>         at
>> org.keycloak.protocol.oidc.endpoints.LogoutEndpoint.
>> logout(LogoutEndpoint.java:142)
>>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>         at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
>> 62)
>>         at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(
>> DelegatingMethodAccessorImpl.java:43)
>>         at java.lang.reflect.Method.invoke(Method.java:498)
>>         at
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(
>> MethodInjectorImpl.java:139)
>>         at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
>> ResourceMethodInvoker.java:295)
>>         at
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
>> ResourceMethodInvoker.java:249)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
>> ResourceLocatorInvoker.java:138)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> ResourceLocatorInvoker.java:107)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(
>> ResourceLocatorInvoker.java:133)
>>         at
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
>> ResourceLocatorInvoker.java:101)
>>         at
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(
>> SynchronousDispatcher.java:395)
>>         ... 37 more
>> Caused by: java.lang.NullPointerException
>>         at java.net.URI$Parser.parse(URI.java:3042)
>>         at java.net.URI.<init>(URI.java:588)
>>         at java.net.URI.create(URI.java:850)
>>         at
>> org.keycloak.saml.SAML2LogoutRequestBuilder.createLogoutRequest(
>> SAML2LogoutRequestBuilder.java:89)
>>         at
>> org.keycloak.saml.SAML2LogoutRequestBuilder.buildDocument(
>> SAML2LogoutRequestBuilder.java:78)
>>         at
>> org.keycloak.broker.saml.SAMLIdentityProvider.
>> keycloakInitiatedBrowserLogout(SAMLIdentityProvider.java:178)
>>         ... 51 more
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
>
> --Hynek
>



From amaeztu at tesicnor.com  Tue Nov 15 12:06:06 2016
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Tue, 15 Nov 2016 18:06:06 +0100
Subject: [keycloak-user] Best practices for combining web and mobile usage
	in one realm
Message-ID: <bc3f76ea-6da1-c93c-b156-08483034bec8@tesicnor.com>

Hi all,

I'm using keycloak 2.2.1 to secure my application. The application can 
be accessed both via web and mobile (Android app). Both of them use the 
authorization code flow, which I believe it's the ideal form of 
authentication for my case.

The topic I want to clarify here is token lifespans. As far as I 
understand, the SSO session idle timeout determines how long can a token 
last without being refreshed. On the other hand, SSO session max 
determines how long can a token last, even if it's being refreshed once 
and again. Well, now couple of questions:

1. Is there a way to make the web session limited to, let's say, 30 
minutes and to have a long lived refresh token for the app?

2. How to deal with the refresh token in the app? What I do right now is 
to launch a webview when application starts and store the access and 
refresh tokens in user preferences (which is secured in Android). I wrap 
each http request made from the app and add the access token, unless it 
has expired, then I request a new access token with the refresh token. 
But when should I check the validity for the refresh token itself? I 
don't want a chain of requests being interrupted because of the refresh 
token being expired!

Thanks in advanced for your help!


-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.


From Jeremy.Kie at state.nm.us  Tue Nov 15 13:40:59 2016
From: Jeremy.Kie at state.nm.us (Kie, Jeremy, CYFD)
Date: Tue, 15 Nov 2016 18:40:59 +0000
Subject: [keycloak-user] Reverse Proxy with SSL - Bad Request
Message-ID: <bf8b142792a0486f8362646ac19388f9@MBXCAS001.nmes.lcl>

Hello,

I've been searching for help with a problem I am encountering.  I have reviewed a number of threads in the archive but none seem to provide enough help for our setup.

Keycloak 2.1.0.Final
Apache as a reverse proxy

When accessing the application - https://apps-test.simple.com/bacon I get redirected to our keycloak server, but the redirect_uri is set to http://apps-test.simple.com/bacon.  When I login successfully, I get redirected, but it results in 400 - Bad Request.  I see the following lines in the app server log file:

2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 53/1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: 53%2F1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577

I did find this thread

http://lists.jboss.org/pipermail/keycloak-user/2016-January/004449.html

What we want to do is similar, but both the auth and site (thus redirect URI) use SSL.  I'm not sure if this is giving us problems.   Any help is greatly appreciated.

Regards,

Jeremy

P.S. Here is our reverse proxy config (slightly redacted)

Timeout 900

ErrorLog syslog

# Exclude all robots
<Location "/robots.txt">
    SetHandler None
</Location>
Alias /robots.txt /srv/www/htdocs/robots.txt

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy

    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
    CustomLog /var/log/apache2/proxy_log proxy env=forwarded
    CustomLog /var/log/apache2/access_log combined env=!forwarded
</IfModule>

<VirtualHost *:80>
                ServerName apps-test.simple.com
        RequestHeader set X-Forwarded-Proto "http"
        RedirectMatch ^/$ https://apps-test.simple.com
                UseCanonicalName On
                RewriteEngine On
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI}<https://%25%7bSERVER_NAME%7d/%25%7bREQUEST_URI%7d> [R,L]
</VirtualHost>

<VirtualHost *:443>
        ServerName apps-test.simple.com

        SSLEngine on
        SSLProxyEngine On
                SSLProtocol -ALL +TLSv1
        SSLCertificateKeyFile /etc/apache2/ssl.key/rsa_private_key_2015.pem
        SSLCertificateFile /etc/apache2/ssl.crt/WC_simple_com_server_2015-16.crt
        SSLCertificateChainFile /etc/apache2/ssl.crt/IntermediateCA-SHA2root.crt
                SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
                RequestHeader unset Range
        RequestHeader unset Request-Range

                ProxyRequests Off
                ProxyPreserveHost On
        RequestHeader add X-Forwarded-Ssl on
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
                SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1
        SetEnv proxy-initial-not-pooled 1

        RedirectMatch ^/$ https://apps-test.simple.com

        <Location "/app1">
                ProxyPass "!"
        </Location>
        <Location "/app2">
                ProxyPass "!"
        </Location>

        <Location /auth/>
               ProxyPass http://keycloak:8080/auth/
               ProxyPassReverse http://keycloak:8080/auth/
               ProxyPassReverseCookieDomain http://keycloak.simple.com http://apps-test.simple.com
               ProxyPassReverseCookiePath / /auth/
        </Location>

        <Location /bacon/>
               ProxyPass http://internal.simple.com:8080/bacon/
               ProxyPassReverse http://internal.simple.com:8080/bacon/
               ProxyPassReverseCookieDomain http://internal.simple.com https://apps-test.simple.com
               ProxyPassReverseCookiePath / /bacon/
        </Location>


</VirtualHost>

ServerSignature Off
ServerTokens Prod
TraceEnable off

SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)




From Jeremy.Kie at state.nm.us  Tue Nov 15 16:10:14 2016
From: Jeremy.Kie at state.nm.us (Kie, Jeremy, CYFD)
Date: Tue, 15 Nov 2016 21:10:14 +0000
Subject: [keycloak-user] Reverse Proxy with SSL - Bad Request
In-Reply-To: <bf8b142792a0486f8362646ac19388f9@MBXCAS001.nmes.lcl>
References: <bf8b142792a0486f8362646ac19388f9@MBXCAS001.nmes.lcl>
Message-ID: <73f8703823c74b738227584c8093e7e4@MBXCAS001.nmes.lcl>

I resolved my issue.  The problem was a bad configuration in the web.xml.

There was a Javascript client deployed along with the web application which had issues with a greedy "url-pattern" used for the security constraint within the web.xml.

Regards,

Jeremy

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Kie, Jeremy, CYFD
Sent: Tuesday, November 15, 2016 11:41 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Reverse Proxy with SSL - Bad Request

Hello,

I've been searching for help with a problem I am encountering.  I have reviewed a number of threads in the archive but none seem to provide enough help for our setup.

Keycloak 2.1.0.Final
Apache as a reverse proxy

When accessing the application - https://apps-test.simple.com/bacon I get redirected to our keycloak server, but the redirect_uri is set to http://apps-test.simple.com/bacon.  When I login successfully, I get redirected, but it results in 400 - Bad Request.  I see the following lines in the app server log file:

2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) state parameter invalid
2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) cookie: 53/1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577
2016-11-15 09:49:02,827 WARN  [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-16) queryParam: 53%2F1e4c027f-e5aa-47f1-bd4f-e9e5f9e32577

I did find this thread

http://lists.jboss.org/pipermail/keycloak-user/2016-January/004449.html

What we want to do is similar, but both the auth and site (thus redirect URI) use SSL.  I'm not sure if this is giving us problems.   Any help is greatly appreciated.

Regards,

Jeremy

P.S. Here is our reverse proxy config (slightly redacted)

Timeout 900

ErrorLog syslog

# Exclude all robots
<Location "/robots.txt">
    SetHandler None
</Location>
Alias /robots.txt /srv/www/htdocs/robots.txt

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy

    SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
    CustomLog /var/log/apache2/proxy_log proxy env=forwarded
    CustomLog /var/log/apache2/access_log combined env=!forwarded </IfModule>

<VirtualHost *:80>
                ServerName apps-test.simple.com
        RequestHeader set X-Forwarded-Proto "http"
        RedirectMatch ^/$ https://apps-test.simple.com
                UseCanonicalName On
                RewriteEngine On
                RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{SERVER_NAME}/%{REQUEST_URI}<https://%25%7bSERVER_NAME%7d/%25%7bREQUEST_URI%7d> [R,L] </VirtualHost>

<VirtualHost *:443>
        ServerName apps-test.simple.com

        SSLEngine on
        SSLProxyEngine On
                SSLProtocol -ALL +TLSv1
        SSLCertificateKeyFile /etc/apache2/ssl.key/rsa_private_key_2015.pem
        SSLCertificateFile /etc/apache2/ssl.crt/WC_simple_com_server_2015-16.crt
        SSLCertificateChainFile /etc/apache2/ssl.crt/IntermediateCA-SHA2root.crt
                SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4+RSA:+HIGH:+MEDIUM
                RequestHeader unset Range
        RequestHeader unset Request-Range

                ProxyRequests Off
                ProxyPreserveHost On
        RequestHeader add X-Forwarded-Ssl on
        RequestHeader set X-Forwarded-Proto "https"
        RequestHeader set X-Forwarded-Port "443"
                SetEnv force-proxy-request-1.0 1
        SetEnv proxy-nokeepalive 1
        SetEnv proxy-initial-not-pooled 1

        RedirectMatch ^/$ https://apps-test.simple.com

        <Location "/app1">
                ProxyPass "!"
        </Location>
        <Location "/app2">
                ProxyPass "!"
        </Location>

        <Location /auth/>
               ProxyPass http://keycloak:8080/auth/
               ProxyPassReverse http://keycloak:8080/auth/
               ProxyPassReverseCookieDomain http://keycloak.simple.com http://apps-test.simple.com
               ProxyPassReverseCookiePath / /auth/
        </Location>

        <Location /bacon/>
               ProxyPass http://internal.simple.com:8080/bacon/
               ProxyPassReverse http://internal.simple.com:8080/bacon/
               ProxyPassReverseCookieDomain http://internal.simple.com https://apps-test.simple.com
               ProxyPassReverseCookiePath / /bacon/
        </Location>


</VirtualHost>

ServerSignature Off
ServerTokens Prod
TraceEnable off

SSLSessionCache shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From Tomas.GRMAN at orange.com  Wed Nov 16 02:40:15 2016
From: Tomas.GRMAN at orange.com (GRMAN, Tomas)
Date: Wed, 16 Nov 2016 07:40:15 +0000
Subject: [keycloak-user] User can't revoke grants for a client without role
	in Account app
Message-ID: <0454d64627484bfab18cffb850469e0d@orange.com>

Hello,
Suppose we have a client defined with a scope = e.g. 1 role, requiring consent and a user with that role. Assume we don't want to provision users with this role (required implementation on the client side), we have to use a default realm role. The Account application then shows the client in the application screen, without the user giving any consent. Which is btw. perfectly understandable, as in this situation the screen shows only a information about available permissions. This would be quite OK, however with possibly several hundreds of clients, this table would get messy.

Another possibility is to have a client without any scopes defined (full scope is disabled) requiring consent too. If a user accepts the consent, no information is displayed in the application screen of the Account application, and as such the user is unable to revoke the grant.

We'd prefer to show only clients with accepted consents in the application screen, however I'm not sure whether the second possibility mentioned is a bug or feature. Shouldn't it be possible to revoke a grant although no scope (role) is defined?
Any help appreciated.

Tomas


From martin.johansson at metrical.se  Wed Nov 16 03:10:04 2016
From: martin.johansson at metrical.se (Martin Johansson)
Date: Wed, 16 Nov 2016 08:10:04 +0000
Subject: [keycloak-user] Redirect after verifying e-mail doesn't work
Message-ID: <CADn3RNXADVFj9hA=kn44pPnNkfZiGjqXsM998sGmVTkVWJeL=w@mail.gmail.com>

Hi,

I'm still experiencing troubles when the users have verified the e-mail.
The issue is the following.

   1. Create a user via REST API
   2. Add send-verify-email to the created user
   3. The user receives a verification e-mail
   4. When clicking the link, the e-mail is verified but the user stays on
   the verification page

I've tried the following to resolve the issue without any luck:

   - Update to Keycloak 2.3.0
   - Add required actions when creating the user
   - Pass query paramenters client_id along with redirect_uri
   - Pass only client_id and configuring the Base URL for said client

The JIRA board has an issue ( KEYCLOAK-2806
<https://issues.jboss.org/browse/KEYCLOAK-2806>) that is unresolved and
without any comments.

So, have anyone got this to work or have a workaround?

Any help is would be much appreciated.

BR,
Martin

From ivan at akvo.org  Wed Nov 16 03:55:51 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Wed, 16 Nov 2016 09:55:51 +0100
Subject: [keycloak-user] Best practices for combining web and mobile
 usage in one realm
In-Reply-To: <bc3f76ea-6da1-c93c-b156-08483034bec8@tesicnor.com>
References: <bc3f76ea-6da1-c93c-b156-08483034bec8@tesicnor.com>
Message-ID: <7b693f2b-8b90-a10d-3cb0-1d645cb7c04c@akvo.org>

Hi,

I think you should look at offline tokens, introduced in  Keycloak 1.6.1 [1]

[1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html

On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
> Hi all,
> 
> I'm using keycloak 2.2.1 to secure my application. The application can 
> be accessed both via web and mobile (Android app). Both of them use the 
> authorization code flow, which I believe it's the ideal form of 
> authentication for my case.
> 
> The topic I want to clarify here is token lifespans. As far as I 
> understand, the SSO session idle timeout determines how long can a token 
> last without being refreshed. On the other hand, SSO session max 
> determines how long can a token last, even if it's being refreshed once 
> and again. Well, now couple of questions:
> 
> 1. Is there a way to make the web session limited to, let's say, 30 
> minutes and to have a long lived refresh token for the app?
> 
> 2. How to deal with the refresh token in the app? What I do right now is 
> to launch a webview when application starts and store the access and 
> refresh tokens in user preferences (which is secured in Android). I wrap 
> each http request made from the app and add the access token, unless it 
> has expired, then I request a new access token with the refresh token. 
> But when should I check the validity for the refresh token itself? I 
> don't want a chain of requests being interrupted because of the refresh 
> token being expired!
> 
> Thanks in advanced for your help!
> 
> 

-- 
Iv?n


From zeus.arias at beeva.com  Wed Nov 16 04:25:02 2016
From: zeus.arias at beeva.com (Zeus Arias Lucero | BEEVA)
Date: Wed, 16 Nov 2016 10:25:02 +0100
Subject: [keycloak-user] URL Query parameters
Message-ID: <CAFZkFaPdT5Wq1fz+6y3Z-ms6r0EWKaictAQdMt+ArS88S6KDbw@mail.gmail.com>

Is it possible  propagate URL query parameters to the keycloak theme?

If the URL is example.com/entity/v1 my theme have a activated button with
URL example.com/remember/entity

From ivan at akvo.org  Wed Nov 16 04:52:35 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Wed, 16 Nov 2016 10:52:35 +0100
Subject: [keycloak-user] Best practices for combining web and mobile
 usage in one realm
In-Reply-To: <7b693f2b-8b90-a10d-3cb0-1d645cb7c04c@akvo.org>
References: <bc3f76ea-6da1-c93c-b156-08483034bec8@tesicnor.com>
	<7b693f2b-8b90-a10d-3cb0-1d645cb7c04c@akvo.org>
Message-ID: <b4a230ff-7657-6d37-3164-9def75961791@akvo.org>

Found the location of the "Offline Access" section:

https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/sessions/offline.html

On 11/16/2016 09:55 AM, Iv?n Perdomo wrote:
> Hi,
> 
> I think you should look at offline tokens, introduced in  Keycloak 1.6.1 [1]
> 
> [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
> 
> On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
>> Hi all,
>>
>> I'm using keycloak 2.2.1 to secure my application. The application can 
>> be accessed both via web and mobile (Android app). Both of them use the 
>> authorization code flow, which I believe it's the ideal form of 
>> authentication for my case.
>>
>> The topic I want to clarify here is token lifespans. As far as I 
>> understand, the SSO session idle timeout determines how long can a token 
>> last without being refreshed. On the other hand, SSO session max 
>> determines how long can a token last, even if it's being refreshed once 
>> and again. Well, now couple of questions:
>>
>> 1. Is there a way to make the web session limited to, let's say, 30 
>> minutes and to have a long lived refresh token for the app?
>>
>> 2. How to deal with the refresh token in the app? What I do right now is 
>> to launch a webview when application starts and store the access and 
>> refresh tokens in user preferences (which is secured in Android). I wrap 
>> each http request made from the app and add the access token, unless it 
>> has expired, then I request a new access token with the refresh token. 
>> But when should I check the validity for the refresh token itself? I 
>> don't want a chain of requests being interrupted because of the refresh 
>> token being expired!
>>
>> Thanks in advanced for your help!
>>
>>
> 

-- 
Iv?n


From sthorger at redhat.com  Wed Nov 16 06:36:33 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 16 Nov 2016 12:36:33 +0100
Subject: [keycloak-user] Keycloak is now OpenID Connect certified
Message-ID: <CAJgngAcM4otpH2+NMc9ot=jG6-kbWTWsc0VwSWCsmvJ_-dKPUA@mail.gmail.com>

I'm pleased to announce that Keycloak is now OpenID Connect certified for
all 5 conformance profiles. For details check out
http://openid.net/certification/.

From michael_furman at hotmail.com  Wed Nov 16 06:38:35 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Wed, 16 Nov 2016 11:38:35 +0000
Subject: [keycloak-user] Is it possible to add OIDC client via command line?
Message-ID: <AM5PR0701MB25303E7ED859218D442D776FF4BE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi,
(I have searched for archives without success)
I want to add OIDC client via command line.
Similar how we add keycloak initial user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/initialization.html)
Alternatively, can I configure access to rest APIs from localhost IP without the user name password authentication (and then I will add OIDC client via REST API http://www.keycloak.org/docs/rest-api/#_create_a_new_client)?




From java at neposoft.com  Wed Nov 16 08:27:25 2016
From: java at neposoft.com (java_os)
Date: Wed, 16 Nov 2016 08:27:25 -0500
Subject: [keycloak-user] Keycloak is now OpenID Connect certified
In-Reply-To: <CAJgngAcM4otpH2+NMc9ot=jG6-kbWTWsc0VwSWCsmvJ_-dKPUA@mail.gmail.com>
References: <CAJgngAcM4otpH2+NMc9ot=jG6-kbWTWsc0VwSWCsmvJ_-dKPUA@mail.gmail.com>
Message-ID: <d51d38f135a840c0dd1f093196981cc7.squirrel@neposoft.com>

Congrats - good work!

> I'm pleased to announce that Keycloak is now OpenID Connect certified for
> all 5 conformance profiles. For details check out
> http://openid.net/certification/.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



From William.Drescher at celum.com  Wed Nov 16 10:13:34 2016
From: William.Drescher at celum.com (William Drescher [CELUM])
Date: Wed, 16 Nov 2016 15:13:34 +0000
Subject: [keycloak-user] Custom Required Action Emails
Message-ID: <da8a4413f6354a9d9549e86be5c2172c@EMEA-LNZ-EX01.werk3.local>

Hello everyone,

We're having the problem that we need a different email text for different custom required actions, however when we use the API to send an email for a required action it always uses the same text. Is there a way to provide different email text for different required actions?

Would appreciate any help anyone could offer

From grantmarrow at gmail.com  Wed Nov 16 14:08:59 2016
From: grantmarrow at gmail.com (Grant Marrow)
Date: Wed, 16 Nov 2016 21:08:59 +0200
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is present
	on the requested resource
Message-ID: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>

Hi,

I really need some help. I keep on getting the following error:


*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*

This is my setup:

*Front End:*
- angular 1.5 web application running at http://localhost:9000
- client configuration on keycloak admin console:
- keycloak.json:

{
  "realm": "leap",
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "leap-web",
  "public-client": true
}


*Auth Server*
- keycloak version 2.30Final running at http://localhost:8080

*Web service*
- java REST service running on Tomcat version 8.5
- client config on keycloak admin console:
- web.xml of rest service:

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
  <display-name>Archetype Created Web Application</display-name>
  <module-name>leap-service</module-name>
 <listener>
    <listener-class>com.hm.leap.service.init.ContextListener</listener-class>

  </listener>
<context-param>
<param-name>persistentUnit</param-name>
<param-value>leap</param-value>
</context-param>

  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Leap-Service</web-resource-name>
  <url-pattern>/resources/private/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>user</role-name>
  </auth-constraint>
  </security-constraint>

   <login-config>
        <auth-method>KEYCLOAK</auth-method>
        <realm-name>leap</realm-name>
   </login-config>

  <security-role>
  <role-name>user</role-name>
  </security-role>

</web-app>

- I also have the valve setup on my context.xml that lives in the META-INF
directory
<Context path="/leap-service">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

</Context>

- keycloak.json:

{
  "realm": "leap",
  "bearer-only": true,
  "auth-server-url": "http://localhost:8080/auth",
  "ssl-required": "external",
  "resource": "leap-service",
  "enable-cors": true
}

The error occurs in the following scenario:
- The angular web app launches, the user clicks the login button which
redirects to Keycloak. The user signs in. The user then tries navigates to
another page. This page then executes a GET request on my REST service
which returns a list which is displayed in a table. But while executing the
GET request, I receive the error:

*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*

In my Tomcat log file. I see the following warning message:


*11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
login page was defined for FORM authentication in context [/leap-service]*

I really can't seen to pinpoint the error. I find it quite strange because
I have the same setup but using an older version of keycloak (1.9*), which
worked fine. I know this might be a silly problem, but if you have some
time to help me, I would really appreciate it. Thanks.

Regards
Grant

From chris.savory at edlogics.com  Wed Nov 16 14:15:32 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Wed, 16 Nov 2016 19:15:32 +0000
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
Message-ID: <3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>

In the admin, click on Clients, then select your client.  Do you have any values for ?Web Origins? there?  If not, you need to add ?http://localhost:9000?

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com <http://www.edlogics.com/>
 
 <http://www.edlogics.com/>
 <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>

On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com> wrote:

    Hi,
    
    I really need some help. I keep on getting the following error:
    
    
    *No 'Access-Control-Allow-Origin' header is present on the requested
    resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
    therefore not allowed access. The response had HTTP status code 500.*
    
    This is my setup:
    
    *Front End:*
    - angular 1.5 web application running at http://localhost:9000
    - client configuration on keycloak admin console:
    - keycloak.json:
    
    {
      "realm": "leap",
      "auth-server-url": "http://localhost:8080/auth",
      "ssl-required": "external",
      "resource": "leap-web",
      "public-client": true
    }
    
    
    *Auth Server*
    - keycloak version 2.30Final running at http://localhost:8080
    
    *Web service*
    - java REST service running on Tomcat version 8.5
    - client config on keycloak admin console:
    - web.xml of rest service:
    
    <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
    http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
    http://java.sun.com/xml/ns/javaee
    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
    version="3.0">
      <display-name>Archetype Created Web Application</display-name>
      <module-name>leap-service</module-name>
     <listener>
        <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
    
      </listener>
    <context-param>
    <param-name>persistentUnit</param-name>
    <param-value>leap</param-value>
    </context-param>
    
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Leap-Service</web-resource-name>
      <url-pattern>/resources/private/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>user</role-name>
      </auth-constraint>
      </security-constraint>
    
       <login-config>
            <auth-method>KEYCLOAK</auth-method>
            <realm-name>leap</realm-name>
       </login-config>
    
      <security-role>
      <role-name>user</role-name>
      </security-role>
    
    </web-app>
    
    - I also have the valve setup on my context.xml that lives in the META-INF
    directory
    <Context path="/leap-service">
    <Valve
    className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
    
    </Context>
    
    - keycloak.json:
    
    {
      "realm": "leap",
      "bearer-only": true,
      "auth-server-url": "http://localhost:8080/auth",
      "ssl-required": "external",
      "resource": "leap-service",
      "enable-cors": true
    }
    
    The error occurs in the following scenario:
    - The angular web app launches, the user clicks the login button which
    redirects to Keycloak. The user signs in. The user then tries navigates to
    another page. This page then executes a GET request on my REST service
    which returns a list which is displayed in a table. But while executing the
    GET request, I receive the error:
    
    *No 'Access-Control-Allow-Origin' header is present on the requested
    resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
    therefore not allowed access. The response had HTTP status code 500.*
    
    In my Tomcat log file. I see the following warning message:
    
    
    *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
    org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
    login page was defined for FORM authentication in context [/leap-service]*
    
    I really can't seen to pinpoint the error. I find it quite strange because
    I have the same setup but using an older version of keycloak (1.9*), which
    worked fine. I know this might be a silly problem, but if you have some
    time to help me, I would really appreciate it. Thanks.
    
    Regards
    Grant
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user
    



From chris.savory at edlogics.com  Wed Nov 16 14:35:39 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Wed, 16 Nov 2016 19:35:39 +0000
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
Message-ID: <D7A409FA-33E4-4AD9-8D9B-59B47A5F8947@edlogics.com>

?The user then tries navigates to
    another page. This page then executes a GET request on my REST service
    which returns a list which is displayed in a table. But while executing the
    GET request, I receive the error:?

Which page is the user navigating to (please include domains) and what is the GET call that is being made? 

--
Christopher Savory
Software Engineer | EdLogics
?



From: Grant Marrow <grantmarrow at gmail.com>
Date: Wednesday, November 16, 2016 at 1:26 PM
To: Chris Savory <chris.savory at edlogics.com>
Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource

Hi Chris 
Thanks for getting back to me.? I have done that and it didnt work.? I have also tired adding *. That did not work as well. What else can I try? 
Please let me know. Thanks 
Regards 
Grant? 
On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com> wrote:
In the admin, click on Clients, then select your client.? Do you have any values for ?Web Origins? there?? If not, you need to add ?http://localhost:9000?

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com <http://www.edlogics.com/>

?<http://www.edlogics.com/>
?<https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>

On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com> wrote:

? ? Hi,

? ? I really need some help. I keep on getting the following error:


? ? *No 'Access-Control-Allow-Origin' header is present on the requested
? ? resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
? ? therefore not allowed access. The response had HTTP status code 500.*

? ? This is my setup:

? ? *Front End:*
? ? - angular 1.5 web application running at http://localhost:9000
? ? - client configuration on keycloak admin console:
? ? - keycloak.json:

? ? {
? ? ? "realm": "leap",
? ? ? "auth-server-url": "http://localhost:8080/auth",
? ? ? "ssl-required": "external",
? ? ? "resource": "leap-web",
? ? ? "public-client": true
? ? }


? ? *Auth Server*
? ? - keycloak version 2.30Final running at http://localhost:8080

? ? *Web service*
? ? - java REST service running on Tomcat version 8.5
? ? - client config on keycloak admin console:
? ? - web.xml of rest service:

? ? <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
? ? http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
? ? http://java.sun.com/xml/ns/javaee
? ? http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
? ? version="3.0">
? ? ? <display-name>Archetype Created Web Application</display-name>
? ? ? <module-name>leap-service</module-name>
? ? ?<listener>
? ? ? ? <listener-class>com.hm.leap.service.init.ContextListener</listener-class>

? ? ? </listener>
? ? <context-param>
? ? <param-name>persistentUnit</param-name>
? ? <param-value>leap</param-value>
? ? </context-param>

? ? ? <security-constraint>
? ? ? <web-resource-collection>
? ? ? <web-resource-name>Leap-Service</web-resource-name>
? ? ? <url-pattern>/resources/private/*</url-pattern>
? ? ? </web-resource-collection>
? ? ? <auth-constraint>
? ? ? <role-name>user</role-name>
? ? ? </auth-constraint>
? ? ? </security-constraint>

? ? ? ?<login-config>
? ? ? ? ? ? <auth-method>KEYCLOAK</auth-method>
? ? ? ? ? ? <realm-name>leap</realm-name>
? ? ? ?</login-config>

? ? ? <security-role>
? ? ? <role-name>user</role-name>
? ? ? </security-role>

? ? </web-app>

? ? - I also have the valve setup on my context.xml that lives in the META-INF
? ? directory
? ? <Context path="/leap-service">
? ? <Valve
? ? className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

? ? </Context>

? ? - keycloak.json:

? ? {
? ? ? "realm": "leap",
? ? ? "bearer-only": true,
? ? ? "auth-server-url": "http://localhost:8080/auth",
? ? ? "ssl-required": "external",
? ? ? "resource": "leap-service",
? ? ? "enable-cors": true
? ? }

? ? The error occurs in the following scenario:
? ? - The angular web app launches, the user clicks the login button which
? ? redirects to Keycloak. The user signs in. The user then tries navigates to
? ? another page. This page then executes a GET request on my REST service
? ? which returns a list which is displayed in a table. But while executing the
? ? GET request, I receive the error:

? ? *No 'Access-Control-Allow-Origin' header is present on the requested
? ? resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
? ? therefore not allowed access. The response had HTTP status code 500.*

? ? In my Tomcat log file. I see the following warning message:


? ? *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
? ? org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
? ? login page was defined for FORM authentication in context [/leap-service]*

? ? I really can't seen to pinpoint the error. I find it quite strange because
? ? I have the same setup but using an older version of keycloak (1.9*), which
? ? worked fine. I know this might be a silly problem, but if you have some
? ? time to help me, I would really appreciate it. Thanks.

? ? Regards
? ? Grant
? ? _______________________________________________
? ? keycloak-user mailing list
? ? keycloak-user at lists.jboss.org
? ? https://lists.jboss.org/mailman/listinfo/keycloak-user





From scott at morgiij.com  Wed Nov 16 15:06:10 2016
From: scott at morgiij.com (Scott Corscadden)
Date: Wed, 16 Nov 2016 15:06:10 -0500
Subject: [keycloak-user] Keycloak & API for users to create their own
 accounts (from iOS)
In-Reply-To: <D8B5F059-7ADA-4A48-BDD7-2402920478D9@morgiij.com>
References: <D8B5F059-7ADA-4A48-BDD7-2402920478D9@morgiij.com>
Message-ID: <E3D05A99-7C41-47B7-A510-1A1941038C02@morgiij.com>

I suspect this was too much to digest for most (which is fine) - and I?ve also learned to use plain text from now on. I?ve since been able to go a a different route with a service-protected client for the ?Create Account? part. 

The only question I have at the moment is how exactly to fold in/use Identity ?Mappers?. Has anyone seen any documentation/examples of using these?

Many thanks,
./scc


> On Nov 15, 2016, at 9:47 AM, Scott Corscadden <scott at morgiij.com> wrote:
> 
> Hello everyone. Fairly new to the list and the Keycloak technology, so I appreciate your patience. I dislike cross-posting, so I have *not* added  aerogear-users at lists.jboss.org <mailto:aerogear-users at lists.jboss.org>, but suspect I?ll need some input from that side as well. Corinne, I have added you as I suspect you?d be able to decide if I should CC it in. The background:
> 
> I?d like to use a Keycloak (2.3.0) deployed instance to abstract user account management, including Facebook/Google/LinkedIn/etc Identity providers. I?ve been able to set up this instance & link it to Facebook without too much trouble; I can log into the keycloak website as a Facebook user. Nginx is being used as the SSL reverse proxy.
> The primary ?client? is an iOS application, which needs to read graph information from said providers if available. I?ve been able to find a swift 3 fork of the wonderful "aerogear-ios-oauth2? library. A minor change to not assume the Bundle Id can be used as the redirectURL protocol (mine contains dots and dashes, which seems to cause the server to reject with ?invalid redirect_url?) and hooray! I can authenticate against Facebook-into-keycloak, receive an Authorization Code, and ?exchangeAuthorizationCodeForAccessToken? successfully.
> 
> The two problems I am trying to solve (I?ve been trying to find documentation but may be miserably bad at finding it):
> 
> Ideally I?m only asking keycloak for graph information (name, address, etc). Thus I *suspect* this is what the ?Mappers? section is needed per Identity Provider? Is that right, or not necessary?
> The iOS app will have a native ?Create account? screen with native Email & Password fields. I?d like to make either an Oauth2 call, or HTTPS POST call to keycloak to do that. I do see the ?Create a new user <http://www.keycloak.org/docs/rest-api/index.html#_create_a_new_user>? link, but so far I only see a ?temporary password? api. Obviously I could use a native WebView and fill the fields manually but that doesn?t feel quite right. 
> 
> Any suggestions here are very, very welcome, and thanks for reading this far. 
> 
> I?m very impressed so far with both keycloak and the aerogear Oauth2 library.
> 
> ./scc
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From grantmarrow at gmail.com  Wed Nov 16 15:07:41 2016
From: grantmarrow at gmail.com (Grant Marrow)
Date: Wed, 16 Nov 2016 22:07:41 +0200
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
Message-ID: <CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>

Ok below is a step by step of events:

1. User navigates to web application at http://localhost:9000

2. Use clicks the sign in button at http://localhost:9000/login

3. User is redirected to keycloak at http://localhost:8080 to login

4. Once signed in the user ia redirected to http://localhost:9000

5. Authenticated User navigates to registrations page at
http://localhost:9000/registrations. During this step a http GET request is
done to http://localhost:8081/leap-service/resouces/private/registrations.

At the above step the error occurs. Please let me know if you need more
information. Thanks

Regards
Grant
On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com> wrote:

> Hi Chris
>
> Thanks for getting back to me.  I have done that and it didnt work.  I
> have also tired adding *. That did not work as well. What else can I try?
>
> Please let me know. Thanks
>
> Regards
> Grant
> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com> wrote:
>
>> In the admin, click on Clients, then select your client.  Do you have any
>> values for ?Web Origins? there?  If not, you need to add
>> ?http://localhost:9000?
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com <http://www.edlogics.com/>
>>
>>  <http://www.edlogics.com/>
>>  <https://www.linkedin.com/company/edlogics> <
>> https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>> of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of
>> grantmarrow at gmail.com> wrote:
>>
>>     Hi,
>>
>>     I really need some help. I keep on getting the following error:
>>
>>
>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>>     therefore not allowed access. The response had HTTP status code 500.*
>>
>>     This is my setup:
>>
>>     *Front End:*
>>     - angular 1.5 web application running at http://localhost:9000
>>     - client configuration on keycloak admin console:
>>     - keycloak.json:
>>
>>     {
>>       "realm": "leap",
>>       "auth-server-url": "http://localhost:8080/auth",
>>       "ssl-required": "external",
>>       "resource": "leap-web",
>>       "public-client": true
>>     }
>>
>>
>>     *Auth Server*
>>     - keycloak version 2.30Final running at http://localhost:8080
>>
>>     *Web service*
>>     - java REST service running on Tomcat version 8.5
>>     - client config on keycloak admin console:
>>     - web.xml of rest service:
>>
>>     <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xmlns="
>>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>     http://java.sun.com/xml/ns/javaee
>>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>     version="3.0">
>>       <display-name>Archetype Created Web Application</display-name>
>>       <module-name>leap-service</module-name>
>>      <listener>
>>         <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>>       </listener>
>>     <context-param>
>>     <param-name>persistentUnit</param-name>
>>     <param-value>leap</param-value>
>>     </context-param>
>>
>>       <security-constraint>
>>       <web-resource-collection>
>>       <web-resource-name>Leap-Service</web-resource-name>
>>       <url-pattern>/resources/private/*</url-pattern>
>>       </web-resource-collection>
>>       <auth-constraint>
>>       <role-name>user</role-name>
>>       </auth-constraint>
>>       </security-constraint>
>>
>>        <login-config>
>>             <auth-method>KEYCLOAK</auth-method>
>>             <realm-name>leap</realm-name>
>>        </login-config>
>>
>>       <security-role>
>>       <role-name>user</role-name>
>>       </security-role>
>>
>>     </web-app>
>>
>>     - I also have the valve setup on my context.xml that lives in the
>> META-INF
>>     directory
>>     <Context path="/leap-service">
>>     <Valve
>>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>>     </Context>
>>
>>     - keycloak.json:
>>
>>     {
>>       "realm": "leap",
>>       "bearer-only": true,
>>       "auth-server-url": "http://localhost:8080/auth",
>>       "ssl-required": "external",
>>       "resource": "leap-service",
>>       "enable-cors": true
>>     }
>>
>>     The error occurs in the following scenario:
>>     - The angular web app launches, the user clicks the login button which
>>     redirects to Keycloak. The user signs in. The user then tries
>> navigates to
>>     another page. This page then executes a GET request on my REST service
>>     which returns a list which is displayed in a table. But while
>> executing the
>>     GET request, I receive the error:
>>
>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>>     therefore not allowed access. The response had HTTP status code 500.*
>>
>>     In my Tomcat log file. I see the following warning message:
>>
>>
>>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>     org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>>     login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>>     I really can't seen to pinpoint the error. I find it quite strange
>> because
>>     I have the same setup but using an older version of keycloak (1.9*),
>> which
>>     worked fine. I know this might be a silly problem, but if you have
>> some
>>     time to help me, I would really appreciate it. Thanks.
>>
>>     Regards
>>     Grant
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>

From chris.savory at edlogics.com  Wed Nov 16 15:11:58 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Wed, 16 Nov 2016 20:11:58 +0000
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
Message-ID: <23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>

This doesn?t appear to be Keycloak related at all.  This is just CORS errors on your API.  

Try reading up here for some more background.  https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

But in short, what you need to do is have your API respond with a couple of headers; primarily the 'Access-Control-Allow-Origin' header so the browser knows that XHR calls to the domain http://localhost:8081 are allowed be called from pages that are served off of the domain http://localhost:9000  

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com
?



From: Grant Marrow <grantmarrow at gmail.com>
Date: Wednesday, November 16, 2016 at 2:07 PM
To: Chris Savory <chris.savory at edlogics.com>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource

Ok below is a step by step of events:
1. User navigates to web application at http://localhost:9000
2. Use clicks the sign in button at http://localhost:9000/login
3. User is redirected to keycloak at http://localhost:8080 to login
4. Once signed in the user ia redirected to http://localhost:9000
5. Authenticated User navigates to registrations page at http://localhost:9000/registrations. During this step a http GET request is done to http://localhost:8081/leap-service/resouces/private/registrations.
At the above step the error occurs. Please let me know if you need more information. Thanks
Regards 
Grant
On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com> wrote:
Hi Chris 
Thanks for getting back to me.? I have done that and it didnt work.? I have also tired adding *. That did not work as well. What else can I try? 
Please let me know. Thanks 
Regards 
Grant? 
On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com> wrote:
In the admin, click on Clients, then select your client.? Do you have any values for ?Web Origins? there?? If not, you need to add ?http://localhost:9000?

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com <http://www.edlogics.com/>

?<http://www.edlogics.com/>
?<https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>

On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com> wrote:

? ? Hi,

? ? I really need some help. I keep on getting the following error:


? ? *No 'Access-Control-Allow-Origin' header is present on the requested
? ? resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
? ? therefore not allowed access. The response had HTTP status code 500.*

? ? This is my setup:

? ? *Front End:*
? ? - angular 1.5 web application running at http://localhost:9000
? ? - client configuration on keycloak admin console:
? ? - keycloak.json:

? ? {
? ? ? "realm": "leap",
? ? ? "auth-server-url": "http://localhost:8080/auth",
? ? ? "ssl-required": "external",
? ? ? "resource": "leap-web",
? ? ? "public-client": true
? ? }


? ? *Auth Server*
? ? - keycloak version 2.30Final running at http://localhost:8080

? ? *Web service*
? ? - java REST service running on Tomcat version 8.5
? ? - client config on keycloak admin console:
? ? - web.xml of rest service:

? ? <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
? ? http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
? ? http://java.sun.com/xml/ns/javaee
? ? http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
? ? version="3.0">
? ? ? <display-name>Archetype Created Web Application</display-name>
? ? ? <module-name>leap-service</module-name>
? ? ?<listener>
? ? ? ? <listener-class>com.hm.leap.service.init.ContextListener</listener-class>

? ? ? </listener>
? ? <context-param>
? ? <param-name>persistentUnit</param-name>
? ? <param-value>leap</param-value>
? ? </context-param>

? ? ? <security-constraint>
? ? ? <web-resource-collection>
? ? ? <web-resource-name>Leap-Service</web-resource-name>
? ? ? <url-pattern>/resources/private/*</url-pattern>
? ? ? </web-resource-collection>
? ? ? <auth-constraint>
? ? ? <role-name>user</role-name>
? ? ? </auth-constraint>
? ? ? </security-constraint>

? ? ? ?<login-config>
? ? ? ? ? ? <auth-method>KEYCLOAK</auth-method>
? ? ? ? ? ? <realm-name>leap</realm-name>
? ? ? ?</login-config>

? ? ? <security-role>
? ? ? <role-name>user</role-name>
? ? ? </security-role>

? ? </web-app>

? ? - I also have the valve setup on my context.xml that lives in the META-INF
? ? directory
? ? <Context path="/leap-service">
? ? <Valve
? ? className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

? ? </Context>

? ? - keycloak.json:

? ? {
? ? ? "realm": "leap",
? ? ? "bearer-only": true,
? ? ? "auth-server-url": "http://localhost:8080/auth",
? ? ? "ssl-required": "external",
? ? ? "resource": "leap-service",
? ? ? "enable-cors": true
? ? }

? ? The error occurs in the following scenario:
? ? - The angular web app launches, the user clicks the login button which
? ? redirects to Keycloak. The user signs in. The user then tries navigates to
? ? another page. This page then executes a GET request on my REST service
? ? which returns a list which is displayed in a table. But while executing the
? ? GET request, I receive the error:

? ? *No 'Access-Control-Allow-Origin' header is present on the requested
? ? resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
? ? therefore not allowed access. The response had HTTP status code 500.*

? ? In my Tomcat log file. I see the following warning message:


? ? *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
? ? org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
? ? login page was defined for FORM authentication in context [/leap-service]*

? ? I really can't seen to pinpoint the error. I find it quite strange because
? ? I have the same setup but using an older version of keycloak (1.9*), which
? ? worked fine. I know this might be a silly problem, but if you have some
? ? time to help me, I would really appreciate it. Thanks.

? ? Regards
? ? Grant
? ? _______________________________________________
? ? keycloak-user mailing list
? ? keycloak-user at lists.jboss.org
? ? https://lists.jboss.org/mailman/listinfo/keycloak-user





From grantmarrow at gmail.com  Wed Nov 16 15:22:09 2016
From: grantmarrow at gmail.com (Grant Marrow)
Date: Wed, 16 Nov 2016 22:22:09 +0200
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
Message-ID: <CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>

I'm familiar with cors. I have used the exact same setup with versions 1.3,
1.4 and 1.9 version of keycloak.  This problem has started since I upgraded
to version 2.3 if keycloak.

I have also tried adding the cors-enabled-headers and cors-enabled-methods
properties to the keycloak.json file on my rest service application and
that did not work as well.

On 16 Nov 2016 21:12, "Chris Savory" <chris.savory at edlogics.com> wrote:

> This doesn?t appear to be Keycloak related at all.  This is just CORS
> errors on your API.
>
> Try reading up here for some more background.
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>
> But in short, what you need to do is have your API respond with a couple
> of headers; primarily the 'Access-Control-Allow-Origin' header so the
> browser knows that XHR calls to the domain http://localhost:8081 are
> allowed be called from pages that are served off of the domain
> http://localhost:9000
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com
>
>
>
>
> From: Grant Marrow <grantmarrow at gmail.com>
> Date: Wednesday, November 16, 2016 at 2:07 PM
> To: Chris Savory <chris.savory at edlogics.com>, "
> keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
> present on the requested resource
>
> Ok below is a step by step of events:
> 1. User navigates to web application at http://localhost:9000
> 2. Use clicks the sign in button at http://localhost:9000/login
> 3. User is redirected to keycloak at http://localhost:8080 to login
> 4. Once signed in the user ia redirected to http://localhost:9000
> 5. Authenticated User navigates to registrations page at
> http://localhost:9000/registrations. During this step a http GET request
> is done to http://localhost:8081/leap-service/resouces/private/
> registrations.
> At the above step the error occurs. Please let me know if you need more
> information. Thanks
> Regards
> Grant
> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com> wrote:
> Hi Chris
> Thanks for getting back to me.  I have done that and it didnt work.  I
> have also tired adding *. That did not work as well. What else can I try?
> Please let me know. Thanks
> Regards
> Grant
> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com> wrote:
> In the admin, click on Clients, then select your client.  Do you have any
> values for ?Web Origins? there?  If not, you need to add
> ?http://localhost:9000?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com <http://www.edlogics.com/>
>
>  <http://www.edlogics.com/>
>  <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics
> >
>
> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of
> Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of
> grantmarrow at gmail.com> wrote:
>
>     Hi,
>
>     I really need some help. I keep on getting the following error:
>
>
>     *No 'Access-Control-Allow-Origin' header is present on the requested
>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>     therefore not allowed access. The response had HTTP status code 500.*
>
>     This is my setup:
>
>     *Front End:*
>     - angular 1.5 web application running at http://localhost:9000
>     - client configuration on keycloak admin console:
>     - keycloak.json:
>
>     {
>       "realm": "leap",
>       "auth-server-url": "http://localhost:8080/auth",
>       "ssl-required": "external",
>       "resource": "leap-web",
>       "public-client": true
>     }
>
>
>     *Auth Server*
>     - keycloak version 2.30Final running at http://localhost:8080
>
>     *Web service*
>     - java REST service running on Tomcat version 8.5
>     - client config on keycloak admin console:
>     - web.xml of rest service:
>
>     <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>     http://java.sun.com/xml/ns/javaee
>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>     version="3.0">
>       <display-name>Archetype Created Web Application</display-name>
>       <module-name>leap-service</module-name>
>      <listener>
>         <listener-class>com.hm.leap.service.init.ContextListener</
> listener-class>
>
>       </listener>
>     <context-param>
>     <param-name>persistentUnit</param-name>
>     <param-value>leap</param-value>
>     </context-param>
>
>       <security-constraint>
>       <web-resource-collection>
>       <web-resource-name>Leap-Service</web-resource-name>
>       <url-pattern>/resources/private/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint>
>       <role-name>user</role-name>
>       </auth-constraint>
>       </security-constraint>
>
>        <login-config>
>             <auth-method>KEYCLOAK</auth-method>
>             <realm-name>leap</realm-name>
>        </login-config>
>
>       <security-role>
>       <role-name>user</role-name>
>       </security-role>
>
>     </web-app>
>
>     - I also have the valve setup on my context.xml that lives in the
> META-INF
>     directory
>     <Context path="/leap-service">
>     <Valve
>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
>     </Context>
>
>     - keycloak.json:
>
>     {
>       "realm": "leap",
>       "bearer-only": true,
>       "auth-server-url": "http://localhost:8080/auth",
>       "ssl-required": "external",
>       "resource": "leap-service",
>       "enable-cors": true
>     }
>
>     The error occurs in the following scenario:
>     - The angular web app launches, the user clicks the login button which
>     redirects to Keycloak. The user signs in. The user then tries
> navigates to
>     another page. This page then executes a GET request on my REST service
>     which returns a list which is displayed in a table. But while
> executing the
>     GET request, I receive the error:
>
>     *No 'Access-Control-Allow-Origin' header is present on the requested
>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>     therefore not allowed access. The response had HTTP status code 500.*
>
>     In my Tomcat log file. I see the following warning message:
>
>
>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>     org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
> No
>     login page was defined for FORM authentication in context
> [/leap-service]*
>
>     I really can't seen to pinpoint the error. I find it quite strange
> because
>     I have the same setup but using an older version of keycloak (1.9*),
> which
>     worked fine. I know this might be a silly problem, but if you have some
>     time to help me, I would really appreciate it. Thanks.
>
>     Regards
>     Grant
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>

From jfalkner at redhat.com  Wed Nov 16 15:39:42 2016
From: jfalkner at redhat.com (James Falkner)
Date: Wed, 16 Nov 2016 14:39:42 -0600
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
Message-ID: <582CC40E.8080008@redhat.com>

In the developer console in your browser, can you verify that the proper 
Authorization header is being passed in the REST call? Something like 
'Authorization: bearer <token>'.

-James

> Grant Marrow <mailto:grantmarrow at gmail.com>
> November 16, 2016 at 2:22 PM
> I'm familiar with cors. I have used the exact same setup with versions 
> 1.3,
> 1.4 and 1.9 version of keycloak. This problem has started since I upgraded
> to version 2.3 if keycloak.
>
> I have also tried adding the cors-enabled-headers and cors-enabled-methods
> properties to the keycloak.json file on my rest service application and
> that did not work as well.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Chris Savory <mailto:chris.savory at edlogics.com>
> November 16, 2016 at 2:11 PM
> This doesn?t appear to be Keycloak related at all. This is just CORS 
> errors on your API.
>
> Try reading up here for some more background. 
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>
> But in short, what you need to do is have your API respond with a 
> couple of headers; primarily the 'Access-Control-Allow-Origin' header 
> so the browser knows that XHR calls to the domain 
> http://localhost:8081 are allowed be called from pages that are served 
> off of the domain http://localhost:9000
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com
>
>
>
>
> From: Grant Marrow <grantmarrow at gmail.com>
> Date: Wednesday, November 16, 2016 at 2:07 PM
> To: Chris Savory <chris.savory at edlogics.com>, 
> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header 
> is present on the requested resource
>
> Ok below is a step by step of events:
> 1. User navigates to web application at http://localhost:9000
> 2. Use clicks the sign in button at http://localhost:9000/login
> 3. User is redirected to keycloak at http://localhost:8080 to login
> 4. Once signed in the user ia redirected to http://localhost:9000
> 5. Authenticated User navigates to registrations page at 
> http://localhost:9000/registrations. During this step a http GET 
> request is done to 
> http://localhost:8081/leap-service/resouces/private/registrations.
> At the above step the error occurs. Please let me know if you need 
> more information. Thanks
> Regards
> Grant
> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com> wrote:
> Hi Chris
> Thanks for getting back to me.  I have done that and it didnt work.  I 
> have also tired adding *. That did not work as well. What else can I try?
> Please let me know. Thanks
> Regards
> Grant
> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com> wrote:
> In the admin, click on Clients, then select your client.  Do you have 
> any values for ?Web Origins? there?  If not, you need to add 
> ?http://localhost:9000?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com <http://www.edlogics.com/>
>
> <http://www.edlogics.com/>
> <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>
>
> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf 
> of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of 
> grantmarrow at gmail.com> wrote:
>
>     Hi,
>
>     I really need some help. I keep on getting the following error:
>
>
>     *No 'Access-Control-Allow-Origin' header is present on the requested
>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>     therefore not allowed access. The response had HTTP status code 500.*
>
>     This is my setup:
>
>     *Front End:*
>     - angular 1.5 web application running at http://localhost:9000
>     - client configuration on keycloak admin console:
>     - keycloak.json:
>
>     {
>       "realm": "leap",
>       "auth-server-url": "http://localhost:8080/auth",
>       "ssl-required": "external",
>       "resource": "leap-web",
>       "public-client": true
>     }
>
>
>     *Auth Server*
>     - keycloak version 2.30Final running at http://localhost:8080
>
>     *Web service*
>     - java REST service running on Tomcat version 8.5
>     - client config on keycloak admin console:
>     - web.xml of rest service:
>
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>     http://java.sun.com/xml/ns/javaee
>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>     version="3.0">
> <display-name>Archetype Created Web Application</display-name>
> <module-name>leap-service</module-name>
> <listener>
> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>
> </listener>
> <context-param>
> <param-name>persistentUnit</param-name>
> <param-value>leap</param-value>
> </context-param>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Leap-Service</web-resource-name>
> <url-pattern>/resources/private/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>leap</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
>
> </web-app>
>
>     - I also have the valve setup on my context.xml that lives in the 
> META-INF
>     directory
> <Context path="/leap-service">
> <Valve
>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
> </Context>
>
>     - keycloak.json:
>
>     {
>       "realm": "leap",
>       "bearer-only": true,
>       "auth-server-url": "http://localhost:8080/auth",
>       "ssl-required": "external",
>       "resource": "leap-service",
>       "enable-cors": true
>     }
>
>     The error occurs in the following scenario:
>     - The angular web app launches, the user clicks the login button which
>     redirects to Keycloak. The user signs in. The user then tries 
> navigates to
>     another page. This page then executes a GET request on my REST service
>     which returns a list which is displayed in a table. But while 
> executing the
>     GET request, I receive the error:
>
>     *No 'Access-Control-Allow-Origin' header is present on the requested
>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
>     therefore not allowed access. The response had HTTP status code 500.*
>
>     In my Tomcat log file. I see the following warning message:
>
>
>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>     
> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
>     login page was defined for FORM authentication in context 
> [/leap-service]*
>
>     I really can't seen to pinpoint the error. I find it quite strange 
> because
>     I have the same setup but using an older version of keycloak 
> (1.9*), which
>     worked fine. I know this might be a silly problem, but if you have 
> some
>     time to help me, I would really appreciate it. Thanks.
>
>     Regards
>     Grant
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Grant Marrow <mailto:grantmarrow at gmail.com>
> November 16, 2016 at 2:07 PM
> Ok below is a step by step of events:
>
> 1. User navigates to web application at http://localhost:9000
>
> 2. Use clicks the sign in button at http://localhost:9000/login
>
> 3. User is redirected to keycloak at http://localhost:8080 to login
>
> 4. Once signed in the user ia redirected to http://localhost:9000
>
> 5. Authenticated User navigates to registrations page at
> http://localhost:9000/registrations. During this step a http GET 
> request is
> done to http://localhost:8081/leap-service/resouces/private/registrations.
>
> At the above step the error occurs. Please let me know if you need more
> information. Thanks
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Chris Savory <mailto:chris.savory at edlogics.com>
> November 16, 2016 at 1:15 PM
> In the admin, click on Clients, then select your client. Do you have 
> any values for ?Web Origins? there? If not, you need to add 
> ?http://localhost:9000?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com <http://www.edlogics.com/>
>
> <http://www.edlogics.com/>
> <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>
>
> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf 
> of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of 
> grantmarrow at gmail.com> wrote:
>
> Hi,
>
> I really need some help. I keep on getting the following error:
>
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> This is my setup:
>
> *Front End:*
> - angular 1.5 web application running at http://localhost:9000
> - client configuration on keycloak admin console:
> - keycloak.json:
>
> {
> "realm": "leap",
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "leap-web",
> "public-client": true
> }
>
>
> *Auth Server*
> - keycloak version 2.30Final running at http://localhost:8080
>
> *Web service*
> - java REST service running on Tomcat version 8.5
> - client config on keycloak admin console:
> - web.xml of rest service:
>
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
> http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
> version="3.0">
> <display-name>Archetype Created Web Application</display-name>
> <module-name>leap-service</module-name>
> <listener>
> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>
> </listener>
> <context-param>
> <param-name>persistentUnit</param-name>
> <param-value>leap</param-value>
> </context-param>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Leap-Service</web-resource-name>
> <url-pattern>/resources/private/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>leap</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
>
> </web-app>
>
> - I also have the valve setup on my context.xml that lives in the META-INF
> directory
> <Context path="/leap-service">
> <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
> </Context>
>
> - keycloak.json:
>
> {
> "realm": "leap",
> "bearer-only": true,
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "leap-service",
> "enable-cors": true
> }
>
> The error occurs in the following scenario:
> - The angular web app launches, the user clicks the login button which
> redirects to Keycloak. The user signs in. The user then tries navigates to
> another page. This page then executes a GET request on my REST service
> which returns a list which is displayed in a table. But while 
> executing the
> GET request, I receive the error:
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> In my Tomcat log file. I see the following warning message:
>
>
> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
> login page was defined for FORM authentication in context [/leap-service]*
>
> I really can't seen to pinpoint the error. I find it quite strange because
> I have the same setup but using an older version of keycloak (1.9*), which
> worked fine. I know this might be a silly problem, but if you have some
> time to help me, I would really appreciate it. Thanks.
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Grant Marrow <mailto:grantmarrow at gmail.com>
> November 16, 2016 at 1:08 PM
> Hi,
>
> I really need some help. I keep on getting the following error:
>
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> This is my setup:
>
> *Front End:*
> - angular 1.5 web application running at http://localhost:9000
> - client configuration on keycloak admin console:
> - keycloak.json:
>
> {
> "realm": "leap",
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "leap-web",
> "public-client": true
> }
>
>
> *Auth Server*
> - keycloak version 2.30Final running at http://localhost:8080
>
> *Web service*
> - java REST service running on Tomcat version 8.5
> - client config on keycloak admin console:
> - web.xml of rest service:
>
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
> http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
> version="3.0">
> <display-name>Archetype Created Web Application</display-name>
> <module-name>leap-service</module-name>
> <listener>
> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>
> </listener>
> <context-param>
> <param-name>persistentUnit</param-name>
> <param-value>leap</param-value>
> </context-param>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Leap-Service</web-resource-name>
> <url-pattern>/resources/private/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>leap</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
>
> </web-app>
>
> - I also have the valve setup on my context.xml that lives in the META-INF
> directory
> <Context path="/leap-service">
> <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
> </Context>
>
> - keycloak.json:
>
> {
> "realm": "leap",
> "bearer-only": true,
> "auth-server-url": "http://localhost:8080/auth",
> "ssl-required": "external",
> "resource": "leap-service",
> "enable-cors": true
> }
>
> The error occurs in the following scenario:
> - The angular web app launches, the user clicks the login button which
> redirects to Keycloak. The user signs in. The user then tries navigates to
> another page. This page then executes a GET request on my REST service
> which returns a list which is displayed in a table. But while 
> executing the
> GET request, I receive the error:
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> In my Tomcat log file. I see the following warning message:
>
>
> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
> login page was defined for FORM authentication in context [/leap-service]*
>
> I really can't seen to pinpoint the error. I find it quite strange because
> I have the same setup but using an older version of keycloak (1.9*), which
> worked fine. I know this might be a silly problem, but if you have some
> time to help me, I would really appreciate it. Thanks.
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From grantmarrow at gmail.com  Wed Nov 16 15:51:44 2016
From: grantmarrow at gmail.com (Grant Marrow)
Date: Wed, 16 Nov 2016 22:51:44 +0200
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <582CC40E.8080008@redhat.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
	<582CC40E.8080008@redhat.com>
Message-ID: <CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>

Hi James

Yes I have used the chrome and firefox  postmaster addon to process the
same HTTP GET request to my rest service.

During this request I added the authorisation bearer header with a valid
token and it still returned the same error.

The only time it worked was when I  stripped out keycloak completely and
just added the standard cors configuration in my web.xml of my service
worked successfully. That's why I'm leaning to the fact that it might be a
keycloak error.

Regards
Grant
On 16 Nov 2016 21:39, "James Falkner" <jfalkner at redhat.com> wrote:

> In the developer console in your browser, can you verify that the proper
> Authorization header is being passed in the REST call? Something like
> 'Authorization: bearer <token>'.
>
> -James
>
> Grant Marrow <grantmarrow at gmail.com>
> November 16, 2016 at 2:22 PM
> I'm familiar with cors. I have used the exact same setup with versions 1.3,
> 1.4 and 1.9 version of keycloak. This problem has started since I upgraded
> to version 2.3 if keycloak.
>
> I have also tried adding the cors-enabled-headers and cors-enabled-methods
> properties to the keycloak.json file on my rest service application and
> that did not work as well.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Chris Savory <chris.savory at edlogics.com>
> November 16, 2016 at 2:11 PM
> This doesn?t appear to be Keycloak related at all. This is just CORS
> errors on your API.
>
> Try reading up here for some more background.
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>
> But in short, what you need to do is have your API respond with a couple
> of headers; primarily the 'Access-Control-Allow-Origin' header so the
> browser knows that XHR calls to the domain http://localhost:8081 are
> allowed be called from pages that are served off of the domain
> http://localhost:9000
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com
>
>
>
>
> From: Grant Marrow <grantmarrow at gmail.com> <grantmarrow at gmail.com>
> Date: Wednesday, November 16, 2016 at 2:07 PM
> To: Chris Savory <chris.savory at edlogics.com> <chris.savory at edlogics.com>,
> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
> <keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org>
> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
> present on the requested resource
>
> Ok below is a step by step of events:
> 1. User navigates to web application at http://localhost:9000
> 2. Use clicks the sign in button at http://localhost:9000/login
> 3. User is redirected to keycloak at http://localhost:8080 to login
> 4. Once signed in the user ia redirected to http://localhost:9000
> 5. Authenticated User navigates to registrations page at
> http://localhost:9000/registrations. During this step a http GET request
> is done to http://localhost:8081/leap-service/resouces/private/
> registrations.
> At the above step the error occurs. Please let me know if you need more
> information. Thanks
> Regards
> Grant
> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com>
> <grantmarrow at gmail.com> wrote:
> Hi Chris
> Thanks for getting back to me.  I have done that and it didnt work.  I
> have also tired adding *. That did not work as well. What else can I try?
> Please let me know. Thanks
> Regards
> Grant
> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com>
> <chris.savory at edlogics.com> wrote:
> In the admin, click on Clients, then select your client.  Do you have any
> values for ?Web Origins? there?  If not, you need to add ?
> http://localhost:9000?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>
>  <http://www.edlogics.com/> <http://www.edlogics.com/>
>  <https://www.linkedin.com/company/edlogics>
> <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>
> <https://twitter.com/EdLogics>
>
> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of
> Grant Marrow" <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
> <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com>
> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
> wrote:
>
>     Hi,
>
>     I really need some help. I keep on getting the following error:
>
>
>     *No 'Access-Control-Allow-Origin' header is present on the requested
>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
> <http://localhost:9000/>' is
>     therefore not allowed access. The response had HTTP status code 500.*
>
>     This is my setup:
>
>     *Front End:*
>     - angular 1.5 web application running at http://localhost:9000
>     - client configuration on keycloak admin console:
>     - keycloak.json:
>
>     {
>       "realm": "leap",
>       "auth-server-url": "http://localhost:8080/auth"
> <http://localhost:8080/auth>,
>       "ssl-required": "external",
>       "resource": "leap-web",
>       "public-client": true
>     }
>
>
>     *Auth Server*
>     - keycloak version 2.30Final running at http://localhost:8080
>
>     *Web service*
>     - java REST service running on Tomcat version 8.5
>     - client config on keycloak admin console:
>     - web.xml of rest service:
>
>     <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>     http://java.sun.com/xml/ns/javaee
>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>     version="3.0">
>       <display-name>Archetype Created Web Application</display-name>
>       <module-name>leap-service</module-name>
>      <listener>
>         <listener-class>com.hm.leap.service.init.ContextListener</
> listener-class>
>
>       </listener>
>     <context-param>
>     <param-name>persistentUnit</param-name>
>     <param-value>leap</param-value>
>     </context-param>
>
>       <security-constraint>
>       <web-resource-collection>
>       <web-resource-name>Leap-Service</web-resource-name>
>       <url-pattern>/resources/private/*</url-pattern>
>       </web-resource-collection>
>       <auth-constraint>
>       <role-name>user</role-name>
>       </auth-constraint>
>       </security-constraint>
>
>        <login-config>
>             <auth-method>KEYCLOAK</auth-method>
>             <realm-name>leap</realm-name>
>        </login-config>
>
>       <security-role>
>       <role-name>user</role-name>
>       </security-role>
>
>     </web-app>
>
>     - I also have the valve setup on my context.xml that lives in the
> META-INF
>     directory
>     <Context path="/leap-service">
>     <Valve
>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
>     </Context>
>
>     - keycloak.json:
>
>     {
>       "realm": "leap",
>       "bearer-only": true,
>       "auth-server-url": "http://localhost:8080/auth"
> <http://localhost:8080/auth>,
>       "ssl-required": "external",
>       "resource": "leap-service",
>       "enable-cors": true
>     }
>
>     The error occurs in the following scenario:
>     - The angular web app launches, the user clicks the login button which
>     redirects to Keycloak. The user signs in. The user then tries
> navigates to
>     another page. This page then executes a GET request on my REST service
>     which returns a list which is displayed in a table. But while
> executing the
>     GET request, I receive the error:
>
>     *No 'Access-Control-Allow-Origin' header is present on the requested
>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
> <http://localhost:9000/>' is
>     therefore not allowed access. The response had HTTP status code 500.*
>
>     In my Tomcat log file. I see the following warning message:
>
>
>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>     org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
> No
>     login page was defined for FORM authentication in context
> [/leap-service]*
>
>     I really can't seen to pinpoint the error. I find it quite strange
> because
>     I have the same setup but using an older version of keycloak (1.9*),
> which
>     worked fine. I know this might be a silly problem, but if you have some
>     time to help me, I would really appreciate it. Thanks.
>
>     Regards
>     Grant
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Grant Marrow <grantmarrow at gmail.com>
> November 16, 2016 at 2:07 PM
> Ok below is a step by step of events:
>
> 1. User navigates to web application at http://localhost:9000
>
> 2. Use clicks the sign in button at http://localhost:9000/login
>
> 3. User is redirected to keycloak at http://localhost:8080 to login
>
> 4. Once signed in the user ia redirected to http://localhost:9000
>
> 5. Authenticated User navigates to registrations page at
> http://localhost:9000/registrations. During this step a http GET request
> is
> done to http://localhost:8081/leap-service/resouces/private/registrations.
>
> At the above step the error occurs. Please let me know if you need more
> information. Thanks
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Chris Savory <chris.savory at edlogics.com>
> November 16, 2016 at 1:15 PM
> In the admin, click on Clients, then select your client. Do you have any
> values for ?Web Origins? there? If not, you need to add ?
> http://localhost:9000?
>
> --
> Christopher Savory
> Software Engineer | EdLogics
> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>
> <http://www.edlogics.com/> <http://www.edlogics.com/>
> <https://www.linkedin.com/company/edlogics>
> <https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>
> <https://twitter.com/EdLogics>
>
> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of
> Grant Marrow" <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
> <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com>
> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
> wrote:
>
> Hi,
>
> I really need some help. I keep on getting the following error:
>
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
> <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> This is my setup:
>
> *Front End:*
> - angular 1.5 web application running at http://localhost:9000
> - client configuration on keycloak admin console:
> - keycloak.json:
>
> {
> "realm": "leap",
> "auth-server-url": "http://localhost:8080/auth"
> <http://localhost:8080/auth>,
> "ssl-required": "external",
> "resource": "leap-web",
> "public-client": true
> }
>
>
> *Auth Server*
> - keycloak version 2.30Final running at http://localhost:8080
>
> *Web service*
> - java REST service running on Tomcat version 8.5
> - client config on keycloak admin console:
> - web.xml of rest service:
>
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
> http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
> version="3.0">
> <display-name>Archetype Created Web Application</display-name>
> <module-name>leap-service</module-name>
> <listener>
> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>
> </listener>
> <context-param>
> <param-name>persistentUnit</param-name>
> <param-value>leap</param-value>
> </context-param>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Leap-Service</web-resource-name>
> <url-pattern>/resources/private/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>leap</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
>
> </web-app>
>
> - I also have the valve setup on my context.xml that lives in the META-INF
> directory
> <Context path="/leap-service">
> <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
> </Context>
>
> - keycloak.json:
>
> {
> "realm": "leap",
> "bearer-only": true,
> "auth-server-url": "http://localhost:8080/auth"
> <http://localhost:8080/auth>,
> "ssl-required": "external",
> "resource": "leap-service",
> "enable-cors": true
> }
>
> The error occurs in the following scenario:
> - The angular web app launches, the user clicks the login button which
> redirects to Keycloak. The user signs in. The user then tries navigates to
> another page. This page then executes a GET request on my REST service
> which returns a list which is displayed in a table. But while executing the
> GET request, I receive the error:
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
> <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> In my Tomcat log file. I see the following warning message:
>
>
> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
> login page was defined for FORM authentication in context [/leap-service]*
>
> I really can't seen to pinpoint the error. I find it quite strange because
> I have the same setup but using an older version of keycloak (1.9*), which
> worked fine. I know this might be a silly problem, but if you have some
> time to help me, I would really appreciate it. Thanks.
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Grant Marrow <grantmarrow at gmail.com>
> November 16, 2016 at 1:08 PM
> Hi,
>
> I really need some help. I keep on getting the following error:
>
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
> <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> This is my setup:
>
> *Front End:*
> - angular 1.5 web application running at http://localhost:9000
> - client configuration on keycloak admin console:
> - keycloak.json:
>
> {
> "realm": "leap",
> "auth-server-url": "http://localhost:8080/auth"
> <http://localhost:8080/auth>,
> "ssl-required": "external",
> "resource": "leap-web",
> "public-client": true
> }
>
>
> *Auth Server*
> - keycloak version 2.30Final running at http://localhost:8080
>
> *Web service*
> - java REST service running on Tomcat version 8.5
> - client config on keycloak admin console:
> - web.xml of rest service:
>
> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
> http://java.sun.com/xml/ns/javaee
> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
> version="3.0">
> <display-name>Archetype Created Web Application</display-name>
> <module-name>leap-service</module-name>
> <listener>
> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>
> </listener>
> <context-param>
> <param-name>persistentUnit</param-name>
> <param-value>leap</param-value>
> </context-param>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Leap-Service</web-resource-name>
> <url-pattern>/resources/private/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>user</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>KEYCLOAK</auth-method>
> <realm-name>leap</realm-name>
> </login-config>
>
> <security-role>
> <role-name>user</role-name>
> </security-role>
>
> </web-app>
>
> - I also have the valve setup on my context.xml that lives in the META-INF
> directory
> <Context path="/leap-service">
> <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>
> </Context>
>
> - keycloak.json:
>
> {
> "realm": "leap",
> "bearer-only": true,
> "auth-server-url": "http://localhost:8080/auth"
> <http://localhost:8080/auth>,
> "ssl-required": "external",
> "resource": "leap-service",
> "enable-cors": true
> }
>
> The error occurs in the following scenario:
> - The angular web app launches, the user clicks the login button which
> redirects to Keycloak. The user signs in. The user then tries navigates to
> another page. This page then executes a GET request on my REST service
> which returns a list which is displayed in a table. But while executing the
> GET request, I receive the error:
>
> *No 'Access-Control-Allow-Origin' header is present on the requested
> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
> <http://localhost:9000/>' is
> therefore not allowed access. The response had HTTP status code 500.*
>
> In my Tomcat log file. I see the following warning message:
>
>
> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
> login page was defined for FORM authentication in context [/leap-service]*
>
> I really can't seen to pinpoint the error. I find it quite strange because
> I have the same setup but using an older version of keycloak (1.9*), which
> worked fine. I know this might be a silly problem, but if you have some
> time to help me, I would really appreciate it. Thanks.
>
> Regards
> Grant
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From abhi.raghav007 at gmail.com  Wed Nov 16 16:10:52 2016
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Thu, 17 Nov 2016 02:40:52 +0530
Subject: [keycloak-user] keycloak-session returns userModel as null in
	eventListenerProvider SPI
Message-ID: <CAJmz6fvbNWrUow_72o4uHAWRP7Q=cNYQ9yR+vWS=iQogZdWscw@mail.gmail.com>

Hi

I am trying to implement a welcome email to newly registered users by admin.
I am using event listener SPI and emailSenderProvider to do this.

I am implementing a provider for the Event Listener SPI and notifying users
by sending an email and react to create user OperationType using
emailSenderProvider.

Here i am overriding, onEvent method which gets triggered on any
AdminEvents.
Now inside this method, i am preparing the content and calling
emailSenderProvider.send() which takes realmModel and userModel.

The issue is, I am able to get the realmModel, but not the userModel.
Code for reference:
@Override
public void onEvent(AdminEvent event, boolean includeRepresentation) {
UserModel user =
session.users().getUserById(event.getAuthDetails().getUserId(), realm);
......

Same works perfectly in the onEvent() for loginEvents.

Is it that the newly created resource is not available in the session but
when we try updating an existing resource, it is able to fetch it.

Please help me where I am doing wrong. Or is there any other way to get the
userModel object.

Thanks in advance.

Cheers
Abhishek

From lists at merit.unu.edu  Thu Nov 17 05:01:24 2016
From: lists at merit.unu.edu (mj)
Date: Thu, 17 Nov 2016 11:01:24 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
Message-ID: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>

Hi all,

We've just found keycloak, and are evaluating it. It's looking great so 
far! We have two questions.

Question one:
We are running three AD DCs, and would like to configure all three in 
keycloak, to get failover & redundancy.
To do this, I have simply configured three comma-seperated DCs in the 
ldap URL field. Keycloak accepted this input, but I'm not sure that all 
three will be  used...
Is the above the way to provide multiple ldap servers to keycloak?

Question two:
How about backing up keycloak? We are running from an extracted tar.gz. 
If we keep backups of this keycloak-directory, is that enough? Does 
keycloak need to be shutdown at backup time?

Best regards,
MJ

From imbacen at gmail.com  Thu Nov 17 05:10:32 2016
From: imbacen at gmail.com (cen)
Date: Thu, 17 Nov 2016 11:10:32 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
Message-ID: <6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>

For question two, Keycloak uses h2 database by default which is stored 
locally in KC directory. But for production you probably don't want to 
use that. You should configure Keycloak to use an external database and 
backup that instead. You basically just modify standalone.xml and change 
the KeycloakDS datasource to use the database of your choice.


mj je 17. 11. 2016 ob 11:01 napisal:
> Hi all,
>
> We've just found keycloak, and are evaluating it. It's looking great so
> far! We have two questions.
>
> Question one:
> We are running three AD DCs, and would like to configure all three in
> keycloak, to get failover & redundancy.
> To do this, I have simply configured three comma-seperated DCs in the
> ldap URL field. Keycloak accepted this input, but I'm not sure that all
> three will be  used...
> Is the above the way to provide multiple ldap servers to keycloak?
>
> Question two:
> How about backing up keycloak? We are running from an extracted tar.gz.
> If we keep backups of this keycloak-directory, is that enough? Does
> keycloak need to be shutdown at backup time?
>
> Best regards,
> MJ
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From glavoie at gmail.com  Thu Nov 17 08:10:28 2016
From: glavoie at gmail.com (Gabriel Lavoie)
Date: Thu, 17 Nov 2016 08:10:28 -0500
Subject: [keycloak-user] Best practices for combining web and mobile
 usage in one realm
In-Reply-To: <b4a230ff-7657-6d37-3164-9def75961791@akvo.org>
References: <bc3f76ea-6da1-c93c-b156-08483034bec8@tesicnor.com>
	<7b693f2b-8b90-a10d-3cb0-1d645cb7c04c@akvo.org>
	<b4a230ff-7657-6d37-3164-9def75961791@akvo.org>
Message-ID: <CAKp1Nw6oY52u4zOqYteeosZmfx8RfOsgHA74tJ6kXjoWqrO3tg@mail.gmail.com>

Hi Artiz,
     as Iv?n mentioned, you should have a look at offline refresh tokens
(requested by using the scope=offline_access query parameter in your
authorization code flow initial request).

An offline token has a different semantic and timeout. From what I've
tested "SSO Session Idle" and "SSO Session Max" don't apply to them, only
"Offline Session Idle". Offline Session Idle is the maximum delay between
last refresh and session expiry. Let say your Offline Session Idle is 30
days and you refresh your token after 15 days, this will reset the offline
session timeout again. You can basically have an infinite session if the
user uses frequently the token.

Gabriel

2016-11-16 4:52 GMT-05:00 Iv?n Perdomo <ivan at akvo.org>:

> Found the location of the "Offline Access" section:
>
> https://keycloak.gitbooks.io/server-adminstration-guide/
> content/topics/sessions/offline.html
>
> On 11/16/2016 09:55 AM, Iv?n Perdomo wrote:
> > Hi,
> >
> > I think you should look at offline tokens, introduced in  Keycloak 1.6.1
> [1]
> >
> > [1] http://blog.keycloak.org/2015/12/offline-tokens-in-keycloak.html
> >
> > On 11/15/2016 06:06 PM, Aritz Maeztu wrote:
> >> Hi all,
> >>
> >> I'm using keycloak 2.2.1 to secure my application. The application can
> >> be accessed both via web and mobile (Android app). Both of them use the
> >> authorization code flow, which I believe it's the ideal form of
> >> authentication for my case.
> >>
> >> The topic I want to clarify here is token lifespans. As far as I
> >> understand, the SSO session idle timeout determines how long can a token
> >> last without being refreshed. On the other hand, SSO session max
> >> determines how long can a token last, even if it's being refreshed once
> >> and again. Well, now couple of questions:
> >>
> >> 1. Is there a way to make the web session limited to, let's say, 30
> >> minutes and to have a long lived refresh token for the app?
> >>
> >> 2. How to deal with the refresh token in the app? What I do right now is
> >> to launch a webview when application starts and store the access and
> >> refresh tokens in user preferences (which is secured in Android). I wrap
> >> each http request made from the app and add the access token, unless it
> >> has expired, then I request a new access token with the refresh token.
> >> But when should I check the validity for the refresh token itself? I
> >> don't want a chain of requests being interrupted because of the refresh
> >> token being expired!
> >>
> >> Thanks in advanced for your help!
> >>
> >>
> >
>
> --
> Iv?n
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Gabriel Lavoie
glavoie at gmail.com

From lists at merit.unu.edu  Thu Nov 17 10:52:31 2016
From: lists at merit.unu.edu (mj)
Date: Thu, 17 Nov 2016 16:52:31 +0100
Subject: [keycloak-user] ssl apache2 difficulties
Message-ID: <5c45ee3b-4da5-6287-3dbb-db10dad4fa1f@merit.unu.edu>

Hi,

The keycloak docs recommend to run keycloak over ssl. Doing that 
directly in java seems quite tricky, so I decided to put an apache2 
reverse proxy before keycloak, using Let's Encrypt ssl certificates.

I can't seem to find many official docs on this subject, but after a ot 
of googling, I think I'm very close.

The main keycloak interface on
  https://keycloak.company.com/auth
loads, using ssl, everything looks good.

The "administration console" link on that page goes to
  https://keycloak.company.com/auth/admin/
So the link was generated good also.

However, actually clicking it, I end up somewhere else, namely:
http://keycloak.company.com/auth/admin/master/console/
NOT good, not anymore https, and thus we're getting "unable to connect".


Here are two configs I did: first the apache2 keycloak.conf:

> <VirtualHost *:443>
> 		ServerAdmin webmaster at keycloak.company.com
 > 		ServerName keycloak.company.com
> 		DocumentRoot /var/www/html
>
>     ProxyPreserveHost       On
>     ProxyVia                Off
>     ProxyRequests           Off
>     ProxyPass               /       "http://localhost:8080/"
>     ProxyPassReverse        /       "http://localhost:8080/"
>
>
> <Proxy *>
>     Order deny,allow
>     Allow from all
> </Proxy>
>
> 		LogLevel info ssl:warn
> 		ErrorLog ${APACHE_LOG_DIR}/keycloak-error.log
> 		CustomLog ${APACHE_LOG_DIR}/keycloak-access.log combined
>
>
> 		#   SSL Engine Switch:
> 		#   Enable/Disable SSL for this virtual host.
> 		SSLEngine on
> 		SSLCertificateFile	/etc/ssl/apache2/cert.pem
> 		SSLCertificateKeyFile /etc/ssl/apache2/cert.key
> 		SSLCertificateChainFile /etc/ssl/apache2/fullchain.pem
>
> </VirtualHost>

and I guess I need to make two changes to standalone.xml as well, lines 
358 and 422:

edited line 385 to:
>  <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" redirect-socket="proxy-https"/>

inserted this line at line 422:
> <socket-binding name="proxy-https" port="443"/>

Is there somewhere a place where the required details are outlined to 
make this work? Seems I'm pretty close, and just missing some minor 
detail somewhere...

Best regards,
MJ

From lists at merit.unu.edu  Thu Nov 17 10:55:11 2016
From: lists at merit.unu.edu (mj)
Date: Thu, 17 Nov 2016 16:55:11 +0100
Subject: [keycloak-user] ssl apache2 difficulties
In-Reply-To: <5c45ee3b-4da5-6287-3dbb-db10dad4fa1f@merit.unu.edu>
References: <5c45ee3b-4da5-6287-3dbb-db10dad4fa1f@merit.unu.edu>
Message-ID: <2b28238a-b944-852e-a3e1-62a351222ae3@merit.unu.edu>



On 11/17/2016 04:52 PM, mj wrote:
> However, actually clicking it, I end up somewhere else, namely:
> http://keycloak.company.com/auth/admin/master/console/
> NOT good, not anymore https, and thus we're getting "unable to connect".

Changing the link above to https
  https://keycloak.company.com/auth/admin/master/console/

Gives a page with stuff like this:

  {{notification.header}} {{notification.message}}
Loading...

From sourin-v at bridgestone-bae.com  Thu Nov 17 11:01:33 2016
From: sourin-v at bridgestone-bae.com (Vincent Sourin)
Date: Thu, 17 Nov 2016 16:01:33 +0000
Subject: [keycloak-user] ssl apache2 difficulties
In-Reply-To: <2b28238a-b944-852e-a3e1-62a351222ae3@merit.unu.edu>
References: <5c45ee3b-4da5-6287-3dbb-db10dad4fa1f@merit.unu.edu>
	<2b28238a-b944-852e-a3e1-62a351222ae3@merit.unu.edu>
Message-ID: <0e18e6f0ed8d45618600d6e5305b5165@bridgestone-bae.com>

Hello,

I think your reverse proxy have to add those headers : *X-Forwarded-Proto* & *X-Forwarded-For* to make it work.

Regards,

Vincent.

-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de mj
Envoy??: jeudi 17 novembre 2016 16:55
??: keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] ssl apache2 difficulties



On 11/17/2016 04:52 PM, mj wrote:
> However, actually clicking it, I end up somewhere else, namely:
> http://keycloak.company.com/auth/admin/master/console/
> NOT good, not anymore https, and thus we're getting "unable to connect".

Changing the link above to https
  https://keycloak.company.com/auth/admin/master/console/

Gives a page with stuff like this:

  {{notification.header}} {{notification.message}} Loading...
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From haimv at perfectomobile.com  Thu Nov 17 11:08:58 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Thu, 17 Nov 2016 16:08:58 +0000
Subject: [keycloak-user] Logout session issues
Message-ID: <HE1PR0301MB25704300D8A74340EE53FD7BD2B10@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Hi,

We are working on Keycloak 1.9.3 with spring security, and trying to implement backchannel logout (one application performs logout and the second application is not aware of it).

We would appreciate if you kindly could advice regarding the below:


1.       What is the best practice to handle backchannel logout ? more specifically where and how the access token validation should be performed (how the second application should know that the first one performed the logout ?) ?



2.       We have noticed that Keycloak spring security filters (straight from documentation) don't try to authenticate the token after it revokes. What's the best practice to handle access token expiration ? is it implemented by keycloak or should we handle it in the server or client side ?



3.       getToken() method of RefreshableKeycloakSecurityContext does not fail if the token is expired,  is it on purpose ? if so should we handle it in our application code ?


4.       We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring security authentication object (SecurityContextHolder.getContext().getAuthentication()) after logout, as a result the client 'thinks' it is still authenticated, what's the best practice to handle it ?



Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From chris.savory at edlogics.com  Thu Nov 17 11:35:00 2016
From: chris.savory at edlogics.com (Chris Savory)
Date: Thu, 17 Nov 2016 16:35:00 +0000
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
	<582CC40E.8080008@redhat.com>
	<CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
Message-ID: <4902A309-E758-4D8C-A9DF-AE91E569DD30@edlogics.com>

Sounds like our app is configured a bit different than yours.  We have a Filter installed that adds these CORS headers to the response and it?s been there since before we integrated with Keycloack.  Hence, we don?t need to rely on Keycloak to add them for us. 

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com
?



From: Grant Marrow <grantmarrow at gmail.com>
Date: Wednesday, November 16, 2016 at 2:51 PM
To: James Falkner <jfalkner at redhat.com>
Cc: "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>, Chris Savory <chris.savory at edlogics.com>
Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource

Hi James
Yes I have used the chrome and firefox? postmaster addon to process the same HTTP GET request to my rest service. 
During this request I added the authorisation bearer header with a valid token and it still returned the same error. 
The only time it worked was when I? stripped out keycloak completely and just added the standard cors configuration in my web.xml of my service worked successfully. That's why I'm leaning to the fact that it might be a keycloak error. 
Regards
Grant
On 16 Nov 2016 21:39, "James Falkner" <jfalkner at redhat.com> wrote:
In the developer console in your browser, can you verify that the proper Authorization header is being passed in the REST call? Something like 'Authorization: bearer <token>'.

-James


Grant Marrow
November 16, 2016 at 2:22 PM
I'm familiar with cors. I have used the exact same setup with versions 1.3,
1.4 and 1.9 version of keycloak. This problem has started since I upgraded
to version 2.3 if keycloak.

I have also tried adding the cors-enabled-headers and cors-enabled-methods
properties to the keycloak.json file on my rest service application and
that did not work as well.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Chris Savory
November 16, 2016 at 2:11 PM
This doesn?t appear to be Keycloak related at all. This is just CORS errors on your API. 

Try reading up here for some more background. https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS

But in short, what you need to do is have your API respond with a couple of headers; primarily the 'Access-Control-Allow-Origin' header so the browser knows that XHR calls to the domain http://localhost:8081 are allowed be called from pages that are served off of the domain http://localhost:9000 

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com
?



From: Grant Marrow <grantmarrow at gmail.com>
Date: Wednesday, November 16, 2016 at 2:07 PM
To: Chris Savory <chris.savory at edlogics.com>, "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is present on the requested resource

Ok below is a step by step of events:
1. User navigates to web application at http://localhost:9000
2. Use clicks the sign in button at http://localhost:9000/login
3. User is redirected to keycloak at http://localhost:8080 to login
4. Once signed in the user ia redirected to http://localhost:9000
5. Authenticated User navigates to registrations page at http://localhost:9000/registrations. During this step a http GET request is done to http://localhost:8081/leap-service/resouces/private/registrations.
At the above step the error occurs. Please let me know if you need more information. Thanks
Regards 
Grant
On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com> wrote:
Hi Chris 
Thanks for getting back to me.? I have done that and it didnt work.? I have also tired adding *. That did not work as well. What else can I try? 
Please let me know. Thanks 
Regards 
Grant? 
On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com> wrote:
In the admin, click on Clients, then select your client.? Do you have any values for ?Web Origins? there?? If not, you need to add ?http://localhost:9000?

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com <http://www.edlogics.com/>

?<http://www.edlogics.com/>
?<https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>

On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com> wrote:

? ? Hi,

? ? I really need some help. I keep on getting the following error:


? ? *No 'Access-Control-Allow-Origin' header is present on the requested
? ? resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
? ? therefore not allowed access. The response had HTTP status code 500.*

? ? This is my setup:

? ? *Front End:*
? ? - angular 1.5 web application running at http://localhost:9000
? ? - client configuration on keycloak admin console:
? ? - keycloak.json:

? ? {
? ? ? "realm": "leap",
? ? ? "auth-server-url": "http://localhost:8080/auth",
? ? ? "ssl-required": "external",
? ? ? "resource": "leap-web",
? ? ? "public-client": true
? ? }


? ? *Auth Server*
? ? - keycloak version 2.30Final running at http://localhost:8080

? ? *Web service*
? ? - java REST service running on Tomcat version 8.5
? ? - client config on keycloak admin console:
? ? - web.xml of rest service:

? ? <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
? ? http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
? ? http://java.sun.com/xml/ns/javaee
? ? http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
? ? version="3.0">
? ? ? <display-name>Archetype Created Web Application</display-name>
? ? ? <module-name>leap-service</module-name>
? ? ?<listener>
? ? ? ? <listener-class>com.hm.leap.service.init.ContextListener</listener-class>

? ? ? </listener>
? ? <context-param>
? ? <param-name>persistentUnit</param-name>
? ? <param-value>leap</param-value>
? ? </context-param>

? ? ? <security-constraint>
? ? ? <web-resource-collection>
? ? ? <web-resource-name>Leap-Service</web-resource-name>
? ? ? <url-pattern>/resources/private/*</url-pattern>
? ? ? </web-resource-collection>
? ? ? <auth-constraint>
? ? ? <role-name>user</role-name>
? ? ? </auth-constraint>
? ? ? </security-constraint>

? ? ? ?<login-config>
? ? ? ? ? ? <auth-method>KEYCLOAK</auth-method>
? ? ? ? ? ? <realm-name>leap</realm-name>
? ? ? ?</login-config>

? ? ? <security-role>
? ? ? <role-name>user</role-name>
? ? ? </security-role>

? ? </web-app>

? ? - I also have the valve setup on my context.xml that lives in the META-INF
? ? directory
? ? <Context path="/leap-service">
? ? <Valve
? ? className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

? ? </Context>

? ? - keycloak.json:

? ? {
? ? ? "realm": "leap",
? ? ? "bearer-only": true,
? ? ? "auth-server-url": "http://localhost:8080/auth",
? ? ? "ssl-required": "external",
? ? ? "resource": "leap-service",
? ? ? "enable-cors": true
? ? }

? ? The error occurs in the following scenario:
? ? - The angular web app launches, the user clicks the login button which
? ? redirects to Keycloak. The user signs in. The user then tries navigates to
? ? another page. This page then executes a GET request on my REST service
? ? which returns a list which is displayed in a table. But while executing the
? ? GET request, I receive the error:

? ? *No 'Access-Control-Allow-Origin' header is present on the requested
? ? resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
? ? therefore not allowed access. The response had HTTP status code 500.*

? ? In my Tomcat log file. I see the following warning message:


? ? *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
? ? org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
? ? login page was defined for FORM authentication in context [/leap-service]*

? ? I really can't seen to pinpoint the error. I find it quite strange because
? ? I have the same setup but using an older version of keycloak (1.9*), which
? ? worked fine. I know this might be a silly problem, but if you have some
? ? time to help me, I would really appreciate it. Thanks.

? ? Regards
? ? Grant
? ? _______________________________________________
? ? keycloak-user mailing list
? ? keycloak-user at lists.jboss.org
? ? https://lists.jboss.org/mailman/listinfo/keycloak-user




_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Grant Marrow
November 16, 2016 at 2:07 PM
Ok below is a step by step of events:

1. User navigates to web application at http://localhost:9000

2. Use clicks the sign in button at http://localhost:9000/login

3. User is redirected to keycloak at http://localhost:8080 to login

4. Once signed in the user ia redirected to http://localhost:9000

5. Authenticated User navigates to registrations page at
http://localhost:9000/registrations. During this step a http GET request is
done to http://localhost:8081/leap-service/resouces/private/registrations.

At the above step the error occurs. Please let me know if you need more
information. Thanks

Regards
Grant
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Chris Savory
November 16, 2016 at 1:15 PM
In the admin, click on Clients, then select your client. Do you have any values for ?Web Origins? there? If not, you need to add ?http://localhost:9000?

--
Christopher Savory
Software Engineer | EdLogics
www.edlogics.com <http://www.edlogics.com/>

<http://www.edlogics.com/>
<https://www.linkedin.com/company/edlogics> <https://twitter.com/EdLogics>

On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Grant Marrow" <keycloak-user-bounces at lists.jboss.org on behalf of grantmarrow at gmail.com> wrote:

Hi,

I really need some help. I keep on getting the following error:


*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*

This is my setup:

*Front End:*
- angular 1.5 web application running at http://localhost:9000
- client configuration on keycloak admin console:
- keycloak.json:

{
"realm": "leap",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-web",
"public-client": true
}


*Auth Server*
- keycloak version 2.30Final running at http://localhost:8080

*Web service*
- java REST service running on Tomcat version 8.5
- client config on keycloak admin console:
- web.xml of rest service:

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
<display-name>Archetype Created Web Application</display-name>
<module-name>leap-service</module-name>
<listener>
<listener-class>com.hm.leap.service.init.ContextListener</listener-class>

</listener>
<context-param>
<param-name>persistentUnit</param-name>
<param-value>leap</param-value>
</context-param>

<security-constraint>
<web-resource-collection>
<web-resource-name>Leap-Service</web-resource-name>
<url-pattern>/resources/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>leap</realm-name>
</login-config>

<security-role>
<role-name>user</role-name>
</security-role>

</web-app>

- I also have the valve setup on my context.xml that lives in the META-INF
directory
<Context path="/leap-service">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

</Context>

- keycloak.json:

{
"realm": "leap",
"bearer-only": true,
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-service",
"enable-cors": true
}

The error occurs in the following scenario:
- The angular web app launches, the user clicks the login button which
redirects to Keycloak. The user signs in. The user then tries navigates to
another page. This page then executes a GET request on my REST service
which returns a list which is displayed in a table. But while executing the
GET request, I receive the error:

*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*

In my Tomcat log file. I see the following warning message:


*11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
login page was defined for FORM authentication in context [/leap-service]*

I really can't seen to pinpoint the error. I find it quite strange because
I have the same setup but using an older version of keycloak (1.9*), which
worked fine. I know this might be a silly problem, but if you have some
time to help me, I would really appreciate it. Thanks.

Regards
Grant
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Grant Marrow
November 16, 2016 at 1:08 PM
Hi,

I really need some help. I keep on getting the following error:


*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*

This is my setup:

*Front End:*
- angular 1.5 web application running at http://localhost:9000
- client configuration on keycloak admin console:
- keycloak.json:

{
"realm": "leap",
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-web",
"public-client": true
}


*Auth Server*
- keycloak version 2.30Final running at http://localhost:8080

*Web service*
- java REST service running on Tomcat version 8.5
- client config on keycloak admin console:
- web.xml of rest service:

<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="
http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
version="3.0">
<display-name>Archetype Created Web Application</display-name>
<module-name>leap-service</module-name>
<listener>
<listener-class>com.hm.leap.service.init.ContextListener</listener-class>

</listener>
<context-param>
<param-name>persistentUnit</param-name>
<param-value>leap</param-value>
</context-param>

<security-constraint>
<web-resource-collection>
<web-resource-name>Leap-Service</web-resource-name>
<url-pattern>/resources/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>

<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>leap</realm-name>
</login-config>

<security-role>
<role-name>user</role-name>
</security-role>

</web-app>

- I also have the valve setup on my context.xml that lives in the META-INF
directory
<Context path="/leap-service">
<Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>

</Context>

- keycloak.json:

{
"realm": "leap",
"bearer-only": true,
"auth-server-url": "http://localhost:8080/auth",
"ssl-required": "external",
"resource": "leap-service",
"enable-cors": true
}

The error occurs in the following scenario:
- The angular web app launches, the user clicks the login button which
redirects to Keycloak. The user signs in. The user then tries navigates to
another page. This page then executes a GET request on my REST service
which returns a list which is displayed in a table. But while executing the
GET request, I receive the error:

*No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:9000 <http://localhost:9000/>' is
therefore not allowed access. The response had HTTP status code 500.*

In my Tomcat log file. I see the following warning message:


*11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
login page was defined for FORM authentication in context [/leap-service]*

I really can't seen to pinpoint the error. I find it quite strange because
I have the same setup but using an older version of keycloak (1.9*), which
worked fine. I know this might be a silly problem, but if you have some
time to help me, I would really appreciate it. Thanks.

Regards
Grant
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user





From lists at merit.unu.edu  Thu Nov 17 11:47:51 2016
From: lists at merit.unu.edu (mj)
Date: Thu, 17 Nov 2016 17:47:51 +0100
Subject: [keycloak-user] ssl apache2 difficulties
In-Reply-To: <0e18e6f0ed8d45618600d6e5305b5165@bridgestone-bae.com>
References: <5c45ee3b-4da5-6287-3dbb-db10dad4fa1f@merit.unu.edu>
	<2b28238a-b944-852e-a3e1-62a351222ae3@merit.unu.edu>
	<0e18e6f0ed8d45618600d6e5305b5165@bridgestone-bae.com>
Message-ID: <d8b03174-bddd-30ef-04f3-a61938fdae03@merit.unu.edu>

Hi Vincent,

Thanks for the clue!

It started working after I added:

>     RequestHeader set X-Forwarded-Proto "https"
>     RequestHeader set X-Forwarded-Port "443"

to apache2 keycloak.conf

Thanks!

MJ

On 11/17/2016 05:01 PM, Vincent Sourin wrote:
> Hello,
>
> I think your reverse proxy have to add those headers : *X-Forwarded-Proto* & *X-Forwarded-For* to make it work.
>
> Regards,
>
> Vincent.

From jitendrachouhan03 at gmail.com  Thu Nov 17 12:13:36 2016
From: jitendrachouhan03 at gmail.com (Jitendra Chouhan)
Date: Thu, 17 Nov 2016 22:43:36 +0530
Subject: [keycloak-user] Join Group Issue in keycloak2.3.0 with mongo db
Message-ID: <CADFocSnHdPQBe74HpPcLqWYfeeyv8n3jHy9A+ugi7wtEEYfYDw@mail.gmail.com>

Hi,

We are evaluating keycloak-2.3.0 in standalone mode as well as with docker
images. During our validations we came across issue with group assignment
to user. Please find below listed information.

Everything works fine when we do our testing keycloak-2.3.0 with default
configuration which uses h2 database internally. We encounter issue with
group assignment(others functionality working fine) when we use mongo db as
external database to store information. Just to let you know we have
configured mongo db related configuration in keycloak by referencing "
https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.3/topics/mongo.html"
link.

Upon checking backed server logs we found below stack trace:

Caused by: java.lang.NullPointerException
        at
org.keycloak.models.mongo.keycloak.adapters.UserAdapter.isMemberOf(UserAdapter.java:263)
        at
org.keycloak.models.cache.infinispan.UserAdapter.isMemberOf(UserAdapter.java:368)
        at
org.keycloak.services.resources.admin.UsersResource.joinGroup(UsersResource.java:992)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)


Everything works fine with keycloak-2.2.1 version. Please confirm if this
is an issue or something is wrong.

Thanks,
Jitendra Chouhan

From rsoares at redhat.com  Thu Nov 17 12:54:21 2016
From: rsoares at redhat.com (Rafael T. C. Soares)
Date: Thu, 17 Nov 2016 14:54:21 -0300
Subject: [keycloak-user] Keycloak is now OpenID Connect certified
In-Reply-To: <CAJgngAcM4otpH2+NMc9ot=jG6-kbWTWsc0VwSWCsmvJ_-dKPUA@mail.gmail.com>
References: <CAJgngAcM4otpH2+NMc9ot=jG6-kbWTWsc0VwSWCsmvJ_-dKPUA@mail.gmail.com>
Message-ID: <0dd8ad82-94ef-9b61-1975-efd269636f64@redhat.com>

Great news!!!  Congratulations to the entire team.

___
Rafael T. C. Soares

On 11/16/2016 08:36 AM, Stian Thorgersen wrote:
> I'm pleased to announce that Keycloak is now OpenID Connect certified for
> all 5 conformance profiles. For details check out
> http://openid.net/certification/.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From jfalkner at redhat.com  Thu Nov 17 17:50:56 2016
From: jfalkner at redhat.com (James Falkner)
Date: Thu, 17 Nov 2016 16:50:56 -0600
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
	<582CC40E.8080008@redhat.com>
	<CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
Message-ID: <CACmuyEj3bduXhYC=2kq5MUYAhXucCDF2LsDeo2MX8wor63zajQ@mail.gmail.com>

Hey Grant - if it's a protected URL, and you've configured web origins
correctly for the client, and the adapter, and the browser is sending the
right stuff - then Keycloak adapter *should* add the CORS headers. I have a
few demos I've created that work in this way, but they all use the official
Red Hat SSO product, based on Keycloak 1.9.4.

If you use "curl" with the same headers, does it fail too? See the end of
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
for an example of how to obtain a token and issue a request using curl.

-James

On Wed, Nov 16, 2016 at 2:51 PM, Grant Marrow <grantmarrow at gmail.com> wrote:

> Hi James
>
> Yes I have used the chrome and firefox  postmaster addon to process the
> same HTTP GET request to my rest service.
>
> During this request I added the authorisation bearer header with a valid
> token and it still returned the same error.
>
> The only time it worked was when I  stripped out keycloak completely and
> just added the standard cors configuration in my web.xml of my service
> worked successfully. That's why I'm leaning to the fact that it might be a
> keycloak error.
>
> Regards
> Grant
> On 16 Nov 2016 21:39, "James Falkner" <jfalkner at redhat.com> wrote:
>
>> In the developer console in your browser, can you verify that the proper
>> Authorization header is being passed in the REST call? Something like
>> 'Authorization: bearer <token>'.
>>
>> -James
>>
>> Grant Marrow <grantmarrow at gmail.com>
>> November 16, 2016 at 2:22 PM
>> I'm familiar with cors. I have used the exact same setup with versions
>> 1.3,
>> 1.4 and 1.9 version of keycloak. This problem has started since I upgraded
>> to version 2.3 if keycloak.
>>
>> I have also tried adding the cors-enabled-headers and cors-enabled-methods
>> properties to the keycloak.json file on my rest service application and
>> that did not work as well.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Chris Savory <chris.savory at edlogics.com>
>> November 16, 2016 at 2:11 PM
>> This doesn?t appear to be Keycloak related at all. This is just CORS
>> errors on your API.
>>
>> Try reading up here for some more background.
>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>>
>> But in short, what you need to do is have your API respond with a couple
>> of headers; primarily the 'Access-Control-Allow-Origin' header so the
>> browser knows that XHR calls to the domain http://localhost:8081 are
>> allowed be called from pages that are served off of the domain
>> http://localhost:9000
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com
>>
>>
>>
>>
>> From: Grant Marrow <grantmarrow at gmail.com> <grantmarrow at gmail.com>
>> Date: Wednesday, November 16, 2016 at 2:07 PM
>> To: Chris Savory <chris.savory at edlogics.com> <chris.savory at edlogics.com>,
>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>> <keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org>
>> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
>> present on the requested resource
>>
>> Ok below is a step by step of events:
>> 1. User navigates to web application at http://localhost:9000
>> 2. Use clicks the sign in button at http://localhost:9000/login
>> 3. User is redirected to keycloak at http://localhost:8080 to login
>> 4. Once signed in the user ia redirected to http://localhost:9000
>> 5. Authenticated User navigates to registrations page at
>> http://localhost:9000/registrations. During this step a http GET request
>> is done to http://localhost:8081/leap-service/resouces/private/registra
>> tions.
>> At the above step the error occurs. Please let me know if you need more
>> information. Thanks
>> Regards
>> Grant
>> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com>
>> <grantmarrow at gmail.com> wrote:
>> Hi Chris
>> Thanks for getting back to me.  I have done that and it didnt work.  I
>> have also tired adding *. That did not work as well. What else can I try?
>> Please let me know. Thanks
>> Regards
>> Grant
>> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com>
>> <chris.savory at edlogics.com> wrote:
>> In the admin, click on Clients, then select your client.  Do you have any
>> values for ?Web Origins? there?  If not, you need to add ?
>> http://localhost:9000?
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>
>>  <http://www.edlogics.com/> <http://www.edlogics.com/>
>>  <https://www.linkedin.com/company/edlogics>
>> <https://www.linkedin.com/company/edlogics>
>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>> of Grant Marrow"
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>> <keycloak-user-bounces at lists.jboss.org on behalf of
>> grantmarrow at gmail.com>
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>> wrote:
>>
>>     Hi,
>>
>>     I really need some help. I keep on getting the following error:
>>
>>
>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>>     therefore not allowed access. The response had HTTP status code 500.*
>>
>>     This is my setup:
>>
>>     *Front End:*
>>     - angular 1.5 web application running at http://localhost:9000
>>     - client configuration on keycloak admin console:
>>     - keycloak.json:
>>
>>     {
>>       "realm": "leap",
>>       "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>>       "ssl-required": "external",
>>       "resource": "leap-web",
>>       "public-client": true
>>     }
>>
>>
>>     *Auth Server*
>>     - keycloak version 2.30Final running at http://localhost:8080
>>
>>     *Web service*
>>     - java REST service running on Tomcat version 8.5
>>     - client config on keycloak admin console:
>>     - web.xml of rest service:
>>
>>     <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>     http://java.sun.com/xml/ns/javaee
>>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>     version="3.0">
>>       <display-name>Archetype Created Web Application</display-name>
>>       <module-name>leap-service</module-name>
>>      <listener>
>>         <listener-class>com.hm.leap.service.init.ContextListener</li
>> stener-class>
>>
>>       </listener>
>>     <context-param>
>>     <param-name>persistentUnit</param-name>
>>     <param-value>leap</param-value>
>>     </context-param>
>>
>>       <security-constraint>
>>       <web-resource-collection>
>>       <web-resource-name>Leap-Service</web-resource-name>
>>       <url-pattern>/resources/private/*</url-pattern>
>>       </web-resource-collection>
>>       <auth-constraint>
>>       <role-name>user</role-name>
>>       </auth-constraint>
>>       </security-constraint>
>>
>>        <login-config>
>>             <auth-method>KEYCLOAK</auth-method>
>>             <realm-name>leap</realm-name>
>>        </login-config>
>>
>>       <security-role>
>>       <role-name>user</role-name>
>>       </security-role>
>>
>>     </web-app>
>>
>>     - I also have the valve setup on my context.xml that lives in the
>> META-INF
>>     directory
>>     <Context path="/leap-service">
>>     <Valve
>>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>>     </Context>
>>
>>     - keycloak.json:
>>
>>     {
>>       "realm": "leap",
>>       "bearer-only": true,
>>       "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>>       "ssl-required": "external",
>>       "resource": "leap-service",
>>       "enable-cors": true
>>     }
>>
>>     The error occurs in the following scenario:
>>     - The angular web app launches, the user clicks the login button which
>>     redirects to Keycloak. The user signs in. The user then tries
>> navigates to
>>     another page. This page then executes a GET request on my REST service
>>     which returns a list which is displayed in a table. But while
>> executing the
>>     GET request, I receive the error:
>>
>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>>     therefore not allowed access. The response had HTTP status code 500.*
>>
>>     In my Tomcat log file. I see the following warning message:
>>
>>
>>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>     org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>> No
>>     login page was defined for FORM authentication in context
>> [/leap-service]*
>>
>>     I really can't seen to pinpoint the error. I find it quite strange
>> because
>>     I have the same setup but using an older version of keycloak (1.9*),
>> which
>>     worked fine. I know this might be a silly problem, but if you have
>> some
>>     time to help me, I would really appreciate it. Thanks.
>>
>>     Regards
>>     Grant
>>     _______________________________________________
>>     keycloak-user mailing list
>>     keycloak-user at lists.jboss.org
>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Grant Marrow <grantmarrow at gmail.com>
>> November 16, 2016 at 2:07 PM
>> Ok below is a step by step of events:
>>
>> 1. User navigates to web application at http://localhost:9000
>>
>> 2. Use clicks the sign in button at http://localhost:9000/login
>>
>> 3. User is redirected to keycloak at http://localhost:8080 to login
>>
>> 4. Once signed in the user ia redirected to http://localhost:9000
>>
>> 5. Authenticated User navigates to registrations page at
>> http://localhost:9000/registrations. During this step a http GET request
>> is
>> done to http://localhost:8081/leap-service/resouces/private/registrations
>> .
>>
>> At the above step the error occurs. Please let me know if you need more
>> information. Thanks
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Chris Savory <chris.savory at edlogics.com>
>> November 16, 2016 at 1:15 PM
>> In the admin, click on Clients, then select your client. Do you have any
>> values for ?Web Origins? there? If not, you need to add ?
>> http://localhost:9000?
>>
>> --
>> Christopher Savory
>> Software Engineer | EdLogics
>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>
>> <http://www.edlogics.com/> <http://www.edlogics.com/>
>> <https://www.linkedin.com/company/edlogics>
>> <https://www.linkedin.com/company/edlogics>
>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>
>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>> of Grant Marrow"
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>> <keycloak-user-bounces at lists.jboss.org on behalf of
>> grantmarrow at gmail.com>
>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>> wrote:
>>
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries navigates to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while executing
>> the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
>> login page was defined for FORM authentication in context [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange because
>> I have the same setup but using an older version of keycloak (1.9*), which
>> worked fine. I know this might be a silly problem, but if you have some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>> Grant Marrow <grantmarrow at gmail.com>
>> November 16, 2016 at 1:08 PM
>> Hi,
>>
>> I really need some help. I keep on getting the following error:
>>
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> This is my setup:
>>
>> *Front End:*
>> - angular 1.5 web application running at http://localhost:9000
>> - client configuration on keycloak admin console:
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-web",
>> "public-client": true
>> }
>>
>>
>> *Auth Server*
>> - keycloak version 2.30Final running at http://localhost:8080
>>
>> *Web service*
>> - java REST service running on Tomcat version 8.5
>> - client config on keycloak admin console:
>> - web.xml of rest service:
>>
>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>> http://java.sun.com/xml/ns/javaee
>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>> version="3.0">
>> <display-name>Archetype Created Web Application</display-name>
>> <module-name>leap-service</module-name>
>> <listener>
>> <listener-class>com.hm.leap.service.init.ContextListener</listener-class>
>>
>> </listener>
>> <context-param>
>> <param-name>persistentUnit</param-name>
>> <param-value>leap</param-value>
>> </context-param>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Leap-Service</web-resource-name>
>> <url-pattern>/resources/private/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>user</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>KEYCLOAK</auth-method>
>> <realm-name>leap</realm-name>
>> </login-config>
>>
>> <security-role>
>> <role-name>user</role-name>
>> </security-role>
>>
>> </web-app>
>>
>> - I also have the valve setup on my context.xml that lives in the META-INF
>> directory
>> <Context path="/leap-service">
>> <Valve
>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>
>> </Context>
>>
>> - keycloak.json:
>>
>> {
>> "realm": "leap",
>> "bearer-only": true,
>> "auth-server-url": "http://localhost:8080/auth"
>> <http://localhost:8080/auth>,
>> "ssl-required": "external",
>> "resource": "leap-service",
>> "enable-cors": true
>> }
>>
>> The error occurs in the following scenario:
>> - The angular web app launches, the user clicks the login button which
>> redirects to Keycloak. The user signs in. The user then tries navigates to
>> another page. This page then executes a GET request on my REST service
>> which returns a list which is displayed in a table. But while executing
>> the
>> GET request, I receive the error:
>>
>> *No 'Access-Control-Allow-Origin' header is present on the requested
>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>> <http://localhost:9000/>' is
>> therefore not allowed access. The response had HTTP status code 500.*
>>
>> In my Tomcat log file. I see the following warning message:
>>
>>
>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage No
>> login page was defined for FORM authentication in context [/leap-service]*
>>
>> I really can't seen to pinpoint the error. I find it quite strange because
>> I have the same setup but using an older version of keycloak (1.9*), which
>> worked fine. I know this might be a silly problem, but if you have some
>> time to help me, I would really appreciate it. Thanks.
>>
>> Regards
>> Grant
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>

From RLaghuvaram at contractor.lb.com  Fri Nov 18 00:36:15 2016
From: RLaghuvaram at contractor.lb.com (Laghuvaram, Raghu)
Date: Fri, 18 Nov 2016 05:36:15 +0000
Subject: [keycloak-user] Issue with Rest API "Add a social login provider to
	the user"
Message-ID: <D453FD80.344E%rlaghuvaram@contractor.lb.com>

Team,

I am using Rest API to create a user and add social login provider to that user. I am able to add the user but I am not able to add Social Login Provider. When I am trying to add Social Login Provider as


kc = KeycloakBuilder.builder() //
      .serverUrl("http://localhost:8080/auth") //
      .realm("SocialDemo")//
      .username("admin") //
      .password("admin") //
      .clientId("admin-cli") //
      .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) //
      .build();

response = kc.realm("SocialDemo").users().get(createdUserId).addFederatedIdentity("facebook", link);


I am getting NPE as below, Please help. Is there any other approach than what I am following?




00:27:14,145 ERROR [io.undertow.request] (default task-124) UT005023: Exception handling request to /auth/admin/realms/SocialDemo/users/87b95eea-a04c-48b2-87ce-b8e0e7eb43d8/federated-identity/facebook: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException

at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)

at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)

at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)

at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

...........

at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)

at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.lang.NullPointerException

at org.keycloak.models.jpa.JpaUserProvider.addFederatedIdentity(JpaUserProvider.java:166)

at org.keycloak.storage.UserStorageManager.addFederatedIdentity(UserStorageManager.java:158)

at org.keycloak.models.cache.infinispan.UserCacheSession.addFederatedIdentity(UserCacheSession.java:621)

at org.keycloak.models.UserFederationManager.addFederatedIdentity(UserFederationManager.java:163)

at org.keycloak.services.resources.admin.UsersResource.addFederatedIdentity(UsersResource.java:478)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

.................

at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)

at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)

... 37 more

________________________________

Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.

From jitendrachouhan03 at gmail.com  Fri Nov 18 03:56:53 2016
From: jitendrachouhan03 at gmail.com (Jitendra Chouhan)
Date: Fri, 18 Nov 2016 14:26:53 +0530
Subject: [keycloak-user] Fwd: Join Group Issue in keycloak2.3.0 with mongo db
In-Reply-To: <CADFocSnHdPQBe74HpPcLqWYfeeyv8n3jHy9A+ugi7wtEEYfYDw@mail.gmail.com>
References: <CADFocSnHdPQBe74HpPcLqWYfeeyv8n3jHy9A+ugi7wtEEYfYDw@mail.gmail.com>
Message-ID: <CADFocSmBjhWynnUy7z60RYDG2CEP26_UVUBa16t92bKE6_iKDA@mail.gmail.com>

Does anyone have idea about or faced problem in assigning group to user
when keycloak-2.3.0.Final instance runs with mongo database? For detailed
information please refer this email chain.

Thanks,
Jitendra Chouhan

---------- Forwarded message ----------
From: Jitendra Chouhan <jitendrachouhan03 at gmail.com>
Date: Thu, Nov 17, 2016 at 10:43 PM
Subject: Join Group Issue in keycloak2.3.0 with mongo db
To: keycloak-user at lists.jboss.org


Hi,

We are evaluating keycloak-2.3.0 in standalone mode as well as with docker
images. During our validations we came across issue with group assignment
to user. Please find below listed information.

Everything works fine when we do our testing keycloak-2.3.0 with default
configuration which uses h2 database internally. We encounter issue with
group assignment(others functionality working fine) when we use mongo db as
external database to store information. Just to let you know we have
configured mongo db related configuration in keycloak by referencing "
https://keycloak.gitbooks.io/server-installation-and-
configuration/content/v/2.3/topics/mongo.html" link.

Upon checking backed server logs we found below stack trace:

Caused by: java.lang.NullPointerException
        at org.keycloak.models.mongo.keycloak.adapters.UserAdapter.
isMemberOf(UserAdapter.java:263)
        at org.keycloak.models.cache.infinispan.UserAdapter.
isMemberOf(UserAdapter.java:368)
        at org.keycloak.services.resources.admin.UsersResource.
joinGroup(UsersResource.java:992)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(
MethodInjectorImpl.java:139)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(
ResourceMethodInvoker.java:295)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(
ResourceMethodInvoker.java:249)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.
invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:107)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.
invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:107)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.
invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(
ResourceLocatorInvoker.java:101)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(
SynchronousDispatcher.java:395)


Everything works fine with keycloak-2.2.1 version. Please confirm if this
is an issue or something is wrong.

Thanks,
Jitendra Chouhan

From grantmarrow at gmail.com  Fri Nov 18 04:43:51 2016
From: grantmarrow at gmail.com (Grant Marrow)
Date: Fri, 18 Nov 2016 11:43:51 +0200
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CACmuyEj3bduXhYC=2kq5MUYAhXucCDF2LsDeo2MX8wor63zajQ@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
	<582CC40E.8080008@redhat.com>
	<CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
	<CACmuyEj3bduXhYC=2kq5MUYAhXucCDF2LsDeo2MX8wor63zajQ@mail.gmail.com>
Message-ID: <CAO_iSbni9Q3+TrfdcPnHSytcGj+n9RnG5N2j=42AV3joJ0CXkA@mail.gmail.com>

Hi James,

Ok, so I managed to fix it, but I have still not figured out what the exact
problem was. This is what I have done to resolve the issue.

The error was happening with the following versions:
Keycloak: 2.3.0
Tomcat: 8.5 (I also tried running the tomcat 8.039 with keycloak adapters
for version 2.3.0 but it was still giving me problems, some kind of valve
exception was thrown.)

I then reverted to version 2.2.1 of keycloak and tomcat 8.039, and then
everything worked. Used the exact same setup that I had in the other
versions, replaced the keycloak.json files for my rest service and my web
app, and everything worked.

Based on that, I think the problem might be with version 2.3.0 of keycloak
and tomcat 8*. If I have time I will try to investigate it a bit more.

Regards
Grant




On Fri, Nov 18, 2016 at 12:50 AM, James Falkner <jfalkner at redhat.com> wrote:

> Hey Grant - if it's a protected URL, and you've configured web origins
> correctly for the client, and the adapter, and the browser is sending the
> right stuff - then Keycloak adapter *should* add the CORS headers. I have a
> few demos I've created that work in this way, but they all use the official
> Red Hat SSO product, based on Keycloak 1.9.4.
>
> If you use "curl" with the same headers, does it fail too? See the end of
> http://blog.keycloak.org/2015/10/getting-started-with-
> keycloak-securing.html for an example of how to obtain a token and issue
> a request using curl.
>
> -James
>
> On Wed, Nov 16, 2016 at 2:51 PM, Grant Marrow <grantmarrow at gmail.com>
> wrote:
>
>> Hi James
>>
>> Yes I have used the chrome and firefox  postmaster addon to process the
>> same HTTP GET request to my rest service.
>>
>> During this request I added the authorisation bearer header with a valid
>> token and it still returned the same error.
>>
>> The only time it worked was when I  stripped out keycloak completely and
>> just added the standard cors configuration in my web.xml of my service
>> worked successfully. That's why I'm leaning to the fact that it might be a
>> keycloak error.
>>
>> Regards
>> Grant
>> On 16 Nov 2016 21:39, "James Falkner" <jfalkner at redhat.com> wrote:
>>
>>> In the developer console in your browser, can you verify that the proper
>>> Authorization header is being passed in the REST call? Something like
>>> 'Authorization: bearer <token>'.
>>>
>>> -James
>>>
>>> Grant Marrow <grantmarrow at gmail.com>
>>> November 16, 2016 at 2:22 PM
>>> I'm familiar with cors. I have used the exact same setup with versions
>>> 1.3,
>>> 1.4 and 1.9 version of keycloak. This problem has started since I
>>> upgraded
>>> to version 2.3 if keycloak.
>>>
>>> I have also tried adding the cors-enabled-headers and
>>> cors-enabled-methods
>>> properties to the keycloak.json file on my rest service application and
>>> that did not work as well.
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Chris Savory <chris.savory at edlogics.com>
>>> November 16, 2016 at 2:11 PM
>>> This doesn?t appear to be Keycloak related at all. This is just CORS
>>> errors on your API.
>>>
>>> Try reading up here for some more background.
>>> https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
>>>
>>> But in short, what you need to do is have your API respond with a couple
>>> of headers; primarily the 'Access-Control-Allow-Origin' header so the
>>> browser knows that XHR calls to the domain http://localhost:8081 are
>>> allowed be called from pages that are served off of the domain
>>> http://localhost:9000
>>>
>>> --
>>> Christopher Savory
>>> Software Engineer | EdLogics
>>> www.edlogics.com
>>>
>>>
>>>
>>>
>>> From: Grant Marrow <grantmarrow at gmail.com> <grantmarrow at gmail.com>
>>> Date: Wednesday, November 16, 2016 at 2:07 PM
>>> To: Chris Savory <chris.savory at edlogics.com> <chris.savory at edlogics.com>,
>>> "keycloak-user at lists.jboss.org" <keycloak-user at lists.jboss.org>
>>> <keycloak-user at lists.jboss.org> <keycloak-user at lists.jboss.org>
>>> Subject: Re: [keycloak-user] No 'Access-Control-Allow-Origin' header is
>>> present on the requested resource
>>>
>>> Ok below is a step by step of events:
>>> 1. User navigates to web application at http://localhost:9000
>>> 2. Use clicks the sign in button at http://localhost:9000/login
>>> 3. User is redirected to keycloak at http://localhost:8080 to login
>>> 4. Once signed in the user ia redirected to http://localhost:9000
>>> 5. Authenticated User navigates to registrations page at
>>> http://localhost:9000/registrations. During this step a http GET
>>> request is done to http://localhost:8081/leap-ser
>>> vice/resouces/private/registrations.
>>> At the above step the error occurs. Please let me know if you need more
>>> information. Thanks
>>> Regards
>>> Grant
>>> On 16 Nov 2016 20:26, "Grant Marrow" <grantmarrow at gmail.com>
>>> <grantmarrow at gmail.com> wrote:
>>> Hi Chris
>>> Thanks for getting back to me.  I have done that and it didnt work.  I
>>> have also tired adding *. That did not work as well. What else can I try?
>>> Please let me know. Thanks
>>> Regards
>>> Grant
>>> On 16 Nov 2016 20:15, "Chris Savory" <chris.savory at edlogics.com>
>>> <chris.savory at edlogics.com> wrote:
>>> In the admin, click on Clients, then select your client.  Do you have
>>> any values for ?Web Origins? there?  If not, you need to add ?
>>> http://localhost:9000?
>>>
>>> --
>>> Christopher Savory
>>> Software Engineer | EdLogics
>>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>>
>>>  <http://www.edlogics.com/> <http://www.edlogics.com/>
>>>  <https://www.linkedin.com/company/edlogics>
>>> <https://www.linkedin.com/company/edlogics>
>>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>>
>>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>>> of Grant Marrow"
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>>> <keycloak-user-bounces at lists.jboss.org on behalf of
>>> grantmarrow at gmail.com>
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>>> wrote:
>>>
>>>     Hi,
>>>
>>>     I really need some help. I keep on getting the following error:
>>>
>>>
>>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>>     therefore not allowed access. The response had HTTP status code 500.*
>>>
>>>     This is my setup:
>>>
>>>     *Front End:*
>>>     - angular 1.5 web application running at http://localhost:9000
>>>     - client configuration on keycloak admin console:
>>>     - keycloak.json:
>>>
>>>     {
>>>       "realm": "leap",
>>>       "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>>       "ssl-required": "external",
>>>       "resource": "leap-web",
>>>       "public-client": true
>>>     }
>>>
>>>
>>>     *Auth Server*
>>>     - keycloak version 2.30Final running at http://localhost:8080
>>>
>>>     *Web service*
>>>     - java REST service running on Tomcat version 8.5
>>>     - client config on keycloak admin console:
>>>     - web.xml of rest service:
>>>
>>>     <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>>     http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>>     http://java.sun.com/xml/ns/javaee
>>>     http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>>     version="3.0">
>>>       <display-name>Archetype Created Web Application</display-name>
>>>       <module-name>leap-service</module-name>
>>>      <listener>
>>>         <listener-class>com.hm.leap.service.init.ContextListener</li
>>> stener-class>
>>>
>>>       </listener>
>>>     <context-param>
>>>     <param-name>persistentUnit</param-name>
>>>     <param-value>leap</param-value>
>>>     </context-param>
>>>
>>>       <security-constraint>
>>>       <web-resource-collection>
>>>       <web-resource-name>Leap-Service</web-resource-name>
>>>       <url-pattern>/resources/private/*</url-pattern>
>>>       </web-resource-collection>
>>>       <auth-constraint>
>>>       <role-name>user</role-name>
>>>       </auth-constraint>
>>>       </security-constraint>
>>>
>>>        <login-config>
>>>             <auth-method>KEYCLOAK</auth-method>
>>>             <realm-name>leap</realm-name>
>>>        </login-config>
>>>
>>>       <security-role>
>>>       <role-name>user</role-name>
>>>       </security-role>
>>>
>>>     </web-app>
>>>
>>>     - I also have the valve setup on my context.xml that lives in the
>>> META-INF
>>>     directory
>>>     <Context path="/leap-service">
>>>     <Valve
>>>     className="org.keycloak.adapters.tomcat.KeycloakAuthenticato
>>> rValve"/>
>>>
>>>     </Context>
>>>
>>>     - keycloak.json:
>>>
>>>     {
>>>       "realm": "leap",
>>>       "bearer-only": true,
>>>       "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>>       "ssl-required": "external",
>>>       "resource": "leap-service",
>>>       "enable-cors": true
>>>     }
>>>
>>>     The error occurs in the following scenario:
>>>     - The angular web app launches, the user clicks the login button
>>> which
>>>     redirects to Keycloak. The user signs in. The user then tries
>>> navigates to
>>>     another page. This page then executes a GET request on my REST
>>> service
>>>     which returns a list which is displayed in a table. But while
>>> executing the
>>>     GET request, I receive the error:
>>>
>>>     *No 'Access-Control-Allow-Origin' header is present on the requested
>>>     resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>>     therefore not allowed access. The response had HTTP status code 500.*
>>>
>>>     In my Tomcat log file. I see the following warning message:
>>>
>>>
>>>     *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>>     org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>>> No
>>>     login page was defined for FORM authentication in context
>>> [/leap-service]*
>>>
>>>     I really can't seen to pinpoint the error. I find it quite strange
>>> because
>>>     I have the same setup but using an older version of keycloak (1.9*),
>>> which
>>>     worked fine. I know this might be a silly problem, but if you have
>>> some
>>>     time to help me, I would really appreciate it. Thanks.
>>>
>>>     Regards
>>>     Grant
>>>     _______________________________________________
>>>     keycloak-user mailing list
>>>     keycloak-user at lists.jboss.org
>>>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Grant Marrow <grantmarrow at gmail.com>
>>> November 16, 2016 at 2:07 PM
>>> Ok below is a step by step of events:
>>>
>>> 1. User navigates to web application at http://localhost:9000
>>>
>>> 2. Use clicks the sign in button at http://localhost:9000/login
>>>
>>> 3. User is redirected to keycloak at http://localhost:8080 to login
>>>
>>> 4. Once signed in the user ia redirected to http://localhost:9000
>>>
>>> 5. Authenticated User navigates to registrations page at
>>> http://localhost:9000/registrations. During this step a http GET
>>> request is
>>> done to http://localhost:8081/leap-service/resouces/private/registra
>>> tions.
>>>
>>> At the above step the error occurs. Please let me know if you need more
>>> information. Thanks
>>>
>>> Regards
>>> Grant
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Chris Savory <chris.savory at edlogics.com>
>>> November 16, 2016 at 1:15 PM
>>> In the admin, click on Clients, then select your client. Do you have any
>>> values for ?Web Origins? there? If not, you need to add ?
>>> http://localhost:9000?
>>>
>>> --
>>> Christopher Savory
>>> Software Engineer | EdLogics
>>> www.edlogics.com <http://www.edlogics.com/> <http://www.edlogics.com/>
>>>
>>> <http://www.edlogics.com/> <http://www.edlogics.com/>
>>> <https://www.linkedin.com/company/edlogics>
>>> <https://www.linkedin.com/company/edlogics>
>>> <https://twitter.com/EdLogics> <https://twitter.com/EdLogics>
>>>
>>> On 11/16/16, 1:08 PM, "keycloak-user-bounces at lists.jboss.org on behalf
>>> of Grant Marrow"
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofGrantMarrow>
>>> <keycloak-user-bounces at lists.jboss.org on behalf of
>>> grantmarrow at gmail.com>
>>> <keycloak-user-bounces at lists.jboss.orgonbehalfofgrantmarrow@gmail.com>
>>> wrote:
>>>
>>> Hi,
>>>
>>> I really need some help. I keep on getting the following error:
>>>
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> This is my setup:
>>>
>>> *Front End:*
>>> - angular 1.5 web application running at http://localhost:9000
>>> - client configuration on keycloak admin console:
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-web",
>>> "public-client": true
>>> }
>>>
>>>
>>> *Auth Server*
>>> - keycloak version 2.30Final running at http://localhost:8080
>>>
>>> *Web service*
>>> - java REST service running on Tomcat version 8.5
>>> - client config on keycloak admin console:
>>> - web.xml of rest service:
>>>
>>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>> http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>> version="3.0">
>>> <display-name>Archetype Created Web Application</display-name>
>>> <module-name>leap-service</module-name>
>>> <listener>
>>> <listener-class>com.hm.leap.service.init.ContextListener</li
>>> stener-class>
>>>
>>> </listener>
>>> <context-param>
>>> <param-name>persistentUnit</param-name>
>>> <param-value>leap</param-value>
>>> </context-param>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Leap-Service</web-resource-name>
>>> <url-pattern>/resources/private/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>user</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <login-config>
>>> <auth-method>KEYCLOAK</auth-method>
>>> <realm-name>leap</realm-name>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>user</role-name>
>>> </security-role>
>>>
>>> </web-app>
>>>
>>> - I also have the valve setup on my context.xml that lives in the
>>> META-INF
>>> directory
>>> <Context path="/leap-service">
>>> <Valve
>>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>>
>>> </Context>
>>>
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "bearer-only": true,
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-service",
>>> "enable-cors": true
>>> }
>>>
>>> The error occurs in the following scenario:
>>> - The angular web app launches, the user clicks the login button which
>>> redirects to Keycloak. The user signs in. The user then tries navigates
>>> to
>>> another page. This page then executes a GET request on my REST service
>>> which returns a list which is displayed in a table. But while executing
>>> the
>>> GET request, I receive the error:
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> In my Tomcat log file. I see the following warning message:
>>>
>>>
>>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>>> No
>>> login page was defined for FORM authentication in context
>>> [/leap-service]*
>>>
>>> I really can't seen to pinpoint the error. I find it quite strange
>>> because
>>> I have the same setup but using an older version of keycloak (1.9*),
>>> which
>>> worked fine. I know this might be a silly problem, but if you have some
>>> time to help me, I would really appreciate it. Thanks.
>>>
>>> Regards
>>> Grant
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> Grant Marrow <grantmarrow at gmail.com>
>>> November 16, 2016 at 1:08 PM
>>> Hi,
>>>
>>> I really need some help. I keep on getting the following error:
>>>
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> This is my setup:
>>>
>>> *Front End:*
>>> - angular 1.5 web application running at http://localhost:9000
>>> - client configuration on keycloak admin console:
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-web",
>>> "public-client": true
>>> }
>>>
>>>
>>> *Auth Server*
>>> - keycloak version 2.30Final running at http://localhost:8080
>>>
>>> *Web service*
>>> - java REST service running on Tomcat version 8.5
>>> - client config on keycloak admin console:
>>> - web.xml of rest service:
>>>
>>> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> <http://www.w3.org/2001/XMLSchema-instance> xmlns="
>>> http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="
>>> http://java.sun.com/xml/ns/javaee
>>> http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID"
>>> version="3.0">
>>> <display-name>Archetype Created Web Application</display-name>
>>> <module-name>leap-service</module-name>
>>> <listener>
>>> <listener-class>com.hm.leap.service.init.ContextListener</li
>>> stener-class>
>>>
>>> </listener>
>>> <context-param>
>>> <param-name>persistentUnit</param-name>
>>> <param-value>leap</param-value>
>>> </context-param>
>>>
>>> <security-constraint>
>>> <web-resource-collection>
>>> <web-resource-name>Leap-Service</web-resource-name>
>>> <url-pattern>/resources/private/*</url-pattern>
>>> </web-resource-collection>
>>> <auth-constraint>
>>> <role-name>user</role-name>
>>> </auth-constraint>
>>> </security-constraint>
>>>
>>> <login-config>
>>> <auth-method>KEYCLOAK</auth-method>
>>> <realm-name>leap</realm-name>
>>> </login-config>
>>>
>>> <security-role>
>>> <role-name>user</role-name>
>>> </security-role>
>>>
>>> </web-app>
>>>
>>> - I also have the valve setup on my context.xml that lives in the
>>> META-INF
>>> directory
>>> <Context path="/leap-service">
>>> <Valve
>>> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve"/>
>>>
>>> </Context>
>>>
>>> - keycloak.json:
>>>
>>> {
>>> "realm": "leap",
>>> "bearer-only": true,
>>> "auth-server-url": "http://localhost:8080/auth"
>>> <http://localhost:8080/auth>,
>>> "ssl-required": "external",
>>> "resource": "leap-service",
>>> "enable-cors": true
>>> }
>>>
>>> The error occurs in the following scenario:
>>> - The angular web app launches, the user clicks the login button which
>>> redirects to Keycloak. The user signs in. The user then tries navigates
>>> to
>>> another page. This page then executes a GET request on my REST service
>>> which returns a list which is displayed in a table. But while executing
>>> the
>>> GET request, I receive the error:
>>>
>>> *No 'Access-Control-Allow-Origin' header is present on the requested
>>> resource. Origin 'http://localhost:9000 <http://localhost:9000/>
>>> <http://localhost:9000/>' is
>>> therefore not allowed access. The response had HTTP status code 500.*
>>>
>>> In my Tomcat log file. I see the following warning message:
>>>
>>>
>>> *11-Nov-2016 11:28:19.464 WARNING [http-nio-8081-exec-2]
>>> org.apache.catalina.authenticator.FormAuthenticator.forwardToLoginPage
>>> No
>>> login page was defined for FORM authentication in context
>>> [/leap-service]*
>>>
>>> I really can't seen to pinpoint the error. I find it quite strange
>>> because
>>> I have the same setup but using an older version of keycloak (1.9*),
>>> which
>>> worked fine. I know this might be a silly problem, but if you have some
>>> time to help me, I would really appreciate it. Thanks.
>>>
>>> Regards
>>> Grant
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>

From tecnologia at growingup.com.co  Fri Nov 18 08:42:34 2016
From: tecnologia at growingup.com.co (tecnologia at growingup.com.co)
Date: Fri, 18 Nov 2016 08:42:34 -0500
Subject: [keycloak-user] App secured in Apache TomEE not works
Message-ID: <002a01d241a1$a01d2390$e0576ab0$@growingup.com.co>

Hello community:


I have secured my application on an Apache 8 server, following the steps,
but when accessing a protected resource I hope to be redirected to Keycloak
but nothing happens.

I'm getting this error (HTTP CODE 500)

Nov 18, 2016 1:02:19 AM org.apache.catalina.authenticator.FormAuthenticator
forwardToLoginPage
WARNING: No login page was defined for FORM authentication in context [/
sis]

I added the keycloak.json file in the WEB-INF and the context.xml file in
the META-INF. I have also done my security settings on the web.xml.

 

keycloak.json:

 

{

  "realm": "expocafe",

  "auth-server-url": "http://localhost:8080/auth",

  "ssl-required": "external",

  "resource": "sis",

  "credentials": {

    "secret": "8ccc6994-2e05-48d3-9aea-f6f31beb2819"

  }

}

 

context.xml:

 

<?xml version='1.0' encoding='utf-8'?>

<Context path="/sis">

       <Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />    

</Context>

 

web.xml:

 

<security-constraint>

             <web-resource-collection>

                    <web-resource-name>Secured pages</web-resource-name>

                    <url-pattern>/pages/*</url-pattern>

             </web-resource-collection>

             <auth-constraint>

                    <role-name>expocafe_usuario</role-name>

             </auth-constraint>

       </security-constraint>

 

       <login-config>

             <auth-method>BASIC</auth-method>

             <realm-name>expocafe</realm-name>

       </login-config>

       

       <!-- Rol definido en Keycloak para permitir el acceso basico a la
aplicacion -->

       <security-role>

             <role-name>expocafe_usuario</role-name>

       </security-role>



What could I check?

 

Keycloak v2.3.0.Final

Apache Tomcat 8.5

 


From grantmarrow at gmail.com  Fri Nov 18 09:02:59 2016
From: grantmarrow at gmail.com (Grant Marrow)
Date: Fri, 18 Nov 2016 16:02:59 +0200
Subject: [keycloak-user] App secured in Apache TomEE not works
In-Reply-To: <CAO_iSb=BPbfyzQyD6gfyp9kD6Aj_XwU2o5jqQPJE8DBK=o=6Ng@mail.gmail.com>
References: <002a01d241a1$a01d2390$e0576ab0$@growingup.com.co>
	<CAO_iSbmp8OWie_eT4k5aqtk7ecNh+UFV9EXW4K17__D3jqREOA@mail.gmail.com>
	<CAO_iSbk_VssE9wNQZJJk_g9WCBSgq5kWmNWG1J5kCS-BBmGJ5g@mail.gmail.com>
	<CAO_iSbmfoTVDB70MGwunR3f1gROw9mCRUshLR79_DKUEeAH68g@mail.gmail.com>
	<CAO_iSb=BPbfyzQyD6gfyp9kD6Aj_XwU2o5jqQPJE8DBK=o=6Ng@mail.gmail.com>
Message-ID: <CAO_iSbkAAM+0-+3MPSBVoynm=8rwKra2WjN_5NTBsQNVF0yHGw@mail.gmail.com>

Hi

Is there a client adapter for TomEE. I don't remember seeing one? If there
is, maybe you need to add the adapter to you web server's respective
installation directory. With that being said, I am making the assumption
that the configuration steps for TomEE would be the same for the other
clients, ie: tomcat, jetty, etc

Regards
Grant

On 18 Nov 2016 14:50, <tecnologia at growingup.com.co> wrote:

Hello community:


I have secured my application on an Apache 8 server, following the steps,
but when accessing a protected resource I hope to be redirected to Keycloak
but nothing happens.

I'm getting this error (HTTP CODE 500)

Nov 18, 2016 1:02:19 AM org.apache.catalina.authenticator.FormAuthenticator
forwardToLoginPage
WARNING: No login page was defined for FORM authentication in context [/
sis]

I added the keycloak.json file in the WEB-INF and the context.xml file in
the META-INF. I have also done my security settings on the web.xml.



keycloak.json:



{

  "realm": "expocafe",

  "auth-server-url": "http://localhost:8080/auth",

  "ssl-required": "external",

  "resource": "sis",

  "credentials": {

    "secret": "8ccc6994-2e05-48d3-9aea-f6f31beb2819"

  }

}



context.xml:



<?xml version='1.0' encoding='utf-8'?>

<Context path="/sis">

       <Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />

</Context>



web.xml:



<security-constraint>

             <web-resource-collection>

                    <web-resource-name>Secured pages</web-resource-name>

                    <url-pattern>/pages/*</url-pattern>

             </web-resource-collection>

             <auth-constraint>

                    <role-name>expocafe_usuario</role-name>

             </auth-constraint>

       </security-constraint>



       <login-config>

             <auth-method>BASIC</auth-method>

             <realm-name>expocafe</realm-name>

       </login-config>



       <!-- Rol definido en Keycloak para permitir el acceso basico a la
aplicacion -->

       <security-role>

             <role-name>expocafe_usuario</role-name>

       </security-role>



What could I check?



Keycloak v2.3.0.Final

Apache Tomcat 8.5



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Fri Nov 18 09:17:54 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 18 Nov 2016 15:17:54 +0100
Subject: [keycloak-user] App secured in Apache TomEE not works
In-Reply-To: <002a01d241a1$a01d2390$e0576ab0$@growingup.com.co>
References: <002a01d241a1$a01d2390$e0576ab0$@growingup.com.co>
Message-ID: <CAMZCGg8_QPf7sXrE+Ewn+g639B=iej9-S8K7=NAvZ=wNiA+mcg@mail.gmail.com>

Is your TomEE version using Tomcat 8.5.5 ? Because it looks like a really
similar issue https://issues.jboss.org/browse/KEYCLOAK-3669?filter=-2 and
this is fixed andshould be available in the next release

On Fri, Nov 18, 2016 at 2:42 PM, <tecnologia at growingup.com.co> wrote:

> Hello community:
>
>
> I have secured my application on an Apache 8 server, following the steps,
> but when accessing a protected resource I hope to be redirected to Keycloak
> but nothing happens.
>
> I'm getting this error (HTTP CODE 500)
>
> Nov 18, 2016 1:02:19 AM org.apache.catalina.authenticator.
> FormAuthenticator
> forwardToLoginPage
> WARNING: No login page was defined for FORM authentication in context [/
> sis]
>
> I added the keycloak.json file in the WEB-INF and the context.xml file in
> the META-INF. I have also done my security settings on the web.xml.
>
>
>
> keycloak.json:
>
>
>
> {
>
>   "realm": "expocafe",
>
>   "auth-server-url": "http://localhost:8080/auth",
>
>   "ssl-required": "external",
>
>   "resource": "sis",
>
>   "credentials": {
>
>     "secret": "8ccc6994-2e05-48d3-9aea-f6f31beb2819"
>
>   }
>
> }
>
>
>
> context.xml:
>
>
>
> <?xml version='1.0' encoding='utf-8'?>
>
> <Context path="/sis">
>
>        <Valve
> className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />
>
> </Context>
>
>
>
> web.xml:
>
>
>
> <security-constraint>
>
>              <web-resource-collection>
>
>                     <web-resource-name>Secured pages</web-resource-name>
>
>                     <url-pattern>/pages/*</url-pattern>
>
>              </web-resource-collection>
>
>              <auth-constraint>
>
>                     <role-name>expocafe_usuario</role-name>
>
>              </auth-constraint>
>
>        </security-constraint>
>
>
>
>        <login-config>
>
>              <auth-method>BASIC</auth-method>
>
>              <realm-name>expocafe</realm-name>
>
>        </login-config>
>
>
>
>        <!-- Rol definido en Keycloak para permitir el acceso basico a la
> aplicacion -->
>
>        <security-role>
>
>              <role-name>expocafe_usuario</role-name>
>
>        </security-role>
>
>
>
> What could I check?
>
>
>
> Keycloak v2.3.0.Final
>
> Apache Tomcat 8.5
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tecnologia at growingup.com.co  Fri Nov 18 10:35:29 2016
From: tecnologia at growingup.com.co (tecnologia at growingup.com.co)
Date: Fri, 18 Nov 2016 10:35:29 -0500
Subject: [keycloak-user] App secured in Apache TomEE not works
References: <002a01d241a1$a01d2390$e0576ab0$@growingup.com.co>
	<CAMZCGg8_QPf7sXrE+Ewn+g639B=iej9-S8K7=NAvZ=wNiA+mcg@mail.gmail.com>
Message-ID: <004701d241b1$654d3060$2fe79120$@growingup.com.co>

Hello Sebastien,

 

You saved my life!!!

 

I manually modified the keycloak-tomcat8-adapter-2.3.0.Final file and it worked perfectly.

 

public class KeycloakAuthenticatorValve

  extends AbstractKeycloakAuthenticatorValve

{

  public boolean authenticate(Request request, HttpServletResponse response)

    throws IOException

  {

    return authenticateInternal(request, response, request.getContext().getLoginConfig());

  }

  

  protected boolean doAuthenticate(Request request, HttpServletResponse response)

    throws IOException

  {

    return authenticate(request, response);

  }

  

  protected boolean forwardToErrorPageInternal(Request request, HttpServletResponse response, Object loginConfig)

    throws IOException

  ?..

 

 

This will fix the problem while the new version arrives.

 

Server: Apache Tomcat (TomEE)/8.5.6 (7.0.2)

 

Thank you very much.

 

 

De: Sebastien Blanc [mailto:sblanc at redhat.com] 
Enviado el: viernes, 18 de noviembre de 2016 9:18
Para: tecnologia at growingup.com.co
CC: keycloak-user
Asunto: Re: [keycloak-user] App secured in Apache TomEE not works

 

Is your TomEE version using Tomcat 8.5.5 ? Because it looks like a really similar issue https://issues.jboss.org/browse/KEYCLOAK-3669?filter=-2 and this is fixed andshould be available in the next release

 

On Fri, Nov 18, 2016 at 2:42 PM, <tecnologia at growingup.com.co> wrote:

Hello community:


I have secured my application on an Apache 8 server, following the steps,
but when accessing a protected resource I hope to be redirected to Keycloak
but nothing happens.

I'm getting this error (HTTP CODE 500)

Nov 18, 2016 1:02:19 AM org.apache.catalina.authenticator.FormAuthenticator
forwardToLoginPage
WARNING: No login page was defined for FORM authentication in context [/
sis]

I added the keycloak.json file in the WEB-INF and the context.xml file in
the META-INF. I have also done my security settings on the web.xml.



keycloak.json:



{

  "realm": "expocafe",

  "auth-server-url": "http://localhost:8080/auth",

  "ssl-required": "external",

  "resource": "sis",

  "credentials": {

    "secret": "8ccc6994-2e05-48d3-9aea-f6f31beb2819"

  }

}



context.xml:



<?xml version='1.0' encoding='utf-8'?>

<Context path="/sis">

       <Valve
className="org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve" />

</Context>



web.xml:



<security-constraint>

             <web-resource-collection>

                    <web-resource-name>Secured pages</web-resource-name>

                    <url-pattern>/pages/*</url-pattern>

             </web-resource-collection>

             <auth-constraint>

                    <role-name>expocafe_usuario</role-name>

             </auth-constraint>

       </security-constraint>



       <login-config>

             <auth-method>BASIC</auth-method>

             <realm-name>expocafe</realm-name>

       </login-config>



       <!-- Rol definido en Keycloak para permitir el acceso basico a la
aplicacion -->

       <security-role>

             <role-name>expocafe_usuario</role-name>

       </security-role>



What could I check?



Keycloak v2.3.0.Final

Apache Tomcat 8.5



_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

 


From jitendrachouhan03 at gmail.com  Fri Nov 18 12:24:05 2016
From: jitendrachouhan03 at gmail.com (Jitendra Chouhan)
Date: Fri, 18 Nov 2016 22:54:05 +0530
Subject: [keycloak-user] Join Group Issue in keycloak2.3.0 with mongo db
In-Reply-To: <CADFocSmBjhWynnUy7z60RYDG2CEP26_UVUBa16t92bKE6_iKDA@mail.gmail.com>
References: <CADFocSnHdPQBe74HpPcLqWYfeeyv8n3jHy9A+ugi7wtEEYfYDw@mail.gmail.com>
	<CADFocSmBjhWynnUy7z60RYDG2CEP26_UVUBa16t92bKE6_iKDA@mail.gmail.com>
Message-ID: <CADFocSnWwqC2A745H-yEk8Qh2NTe-eRqeLd=fd5i1qVdofFvLA@mail.gmail.com>

Further update about issue is listed below.

We exported a realm from 2.2.1 and imported into keycloak 2.3.0.Final
instance. When tried to assign group to a newly created user this issue
comes but if assign group to migrated user(from 2.2.1 to 2.3.0) it works
fine, looks like there is some issue with UserModel.

Thanks,
JItendra Chouhan

On Fri, Nov 18, 2016 at 2:26 PM, Jitendra Chouhan <
jitendrachouhan03 at gmail.com> wrote:

> Does anyone have idea about or faced problem in assigning group to user
> when keycloak-2.3.0.Final instance runs with mongo database? For detailed
> information please refer this email chain.
>
> Thanks,
> Jitendra Chouhan
>
> ---------- Forwarded message ----------
> From: Jitendra Chouhan <jitendrachouhan03 at gmail.com>
> Date: Thu, Nov 17, 2016 at 10:43 PM
> Subject: Join Group Issue in keycloak2.3.0 with mongo db
> To: keycloak-user at lists.jboss.org
>
>
> Hi,
>
> We are evaluating keycloak-2.3.0 in standalone mode as well as with docker
> images. During our validations we came across issue with group assignment
> to user. Please find below listed information.
>
> Everything works fine when we do our testing keycloak-2.3.0 with default
> configuration which uses h2 database internally. We encounter issue with
> group assignment(others functionality working fine) when we use mongo db as
> external database to store information. Just to let you know we have
> configured mongo db related configuration in keycloak by referencing "
> https://keycloak.gitbooks.io/server-installation-and-config
> uration/content/v/2.3/topics/mongo.html" link.
>
> Upon checking backed server logs we found below stack trace:
>
> Caused by: java.lang.NullPointerException
>         at org.keycloak.models.mongo.keycloak.adapters.UserAdapter.isMe
> mberOf(UserAdapter.java:263)
>         at org.keycloak.models.cache.infinispan.UserAdapter.isMemberOf(
> UserAdapter.java:368)
>         at org.keycloak.services.resources.admin.UsersResource.joinGrou
> p(UsersResource.java:992)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
> ssorImpl.java:62)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
> thodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
> ctorImpl.java:139)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
> (ResourceMethodInvoker.java:295)
>         at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
> eMethodInvoker.java:249)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:138)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:107)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
> tObject(ResourceLocatorInvoker.java:133)
>         at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
> ceLocatorInvoker.java:101)
>         at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
> nousDispatcher.java:395)
>
>
> Everything works fine with keycloak-2.2.1 version. Please confirm if this
> is an issue or something is wrong.
>
> Thanks,
> Jitendra Chouhan
>
>
>
>

From mposolda at redhat.com  Fri Nov 18 15:33:35 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Nov 2016 21:33:35 +0100
Subject: [keycloak-user] Join Group Issue in keycloak2.3.0 with mongo db
In-Reply-To: <CADFocSnWwqC2A745H-yEk8Qh2NTe-eRqeLd=fd5i1qVdofFvLA@mail.gmail.com>
References: <CADFocSnHdPQBe74HpPcLqWYfeeyv8n3jHy9A+ugi7wtEEYfYDw@mail.gmail.com>
	<CADFocSmBjhWynnUy7z60RYDG2CEP26_UVUBa16t92bKE6_iKDA@mail.gmail.com>
	<CADFocSnWwqC2A745H-yEk8Qh2NTe-eRqeLd=fd5i1qVdofFvLA@mail.gmail.com>
Message-ID: <b6789932-26b5-f9b5-b7ee-6ff139afb080@redhat.com>

It's fixed in latest master and will be available in 2.4.0.CR1 release 
next week. Thanks for reporting this.

Marek

On 18/11/16 18:24, Jitendra Chouhan wrote:
> Further update about issue is listed below.
>
> We exported a realm from 2.2.1 and imported into keycloak 2.3.0.Final
> instance. When tried to assign group to a newly created user this issue
> comes but if assign group to migrated user(from 2.2.1 to 2.3.0) it works
> fine, looks like there is some issue with UserModel.
>
> Thanks,
> JItendra Chouhan
>
> On Fri, Nov 18, 2016 at 2:26 PM, Jitendra Chouhan <
> jitendrachouhan03 at gmail.com> wrote:
>
>> Does anyone have idea about or faced problem in assigning group to user
>> when keycloak-2.3.0.Final instance runs with mongo database? For detailed
>> information please refer this email chain.
>>
>> Thanks,
>> Jitendra Chouhan
>>
>> ---------- Forwarded message ----------
>> From: Jitendra Chouhan <jitendrachouhan03 at gmail.com>
>> Date: Thu, Nov 17, 2016 at 10:43 PM
>> Subject: Join Group Issue in keycloak2.3.0 with mongo db
>> To: keycloak-user at lists.jboss.org
>>
>>
>> Hi,
>>
>> We are evaluating keycloak-2.3.0 in standalone mode as well as with docker
>> images. During our validations we came across issue with group assignment
>> to user. Please find below listed information.
>>
>> Everything works fine when we do our testing keycloak-2.3.0 with default
>> configuration which uses h2 database internally. We encounter issue with
>> group assignment(others functionality working fine) when we use mongo db as
>> external database to store information. Just to let you know we have
>> configured mongo db related configuration in keycloak by referencing "
>> https://keycloak.gitbooks.io/server-installation-and-config
>> uration/content/v/2.3/topics/mongo.html" link.
>>
>> Upon checking backed server logs we found below stack trace:
>>
>> Caused by: java.lang.NullPointerException
>>          at org.keycloak.models.mongo.keycloak.adapters.UserAdapter.isMe
>> mberOf(UserAdapter.java:263)
>>          at org.keycloak.models.cache.infinispan.UserAdapter.isMemberOf(
>> UserAdapter.java:368)
>>          at org.keycloak.services.resources.admin.UsersResource.joinGrou
>> p(UsersResource.java:992)
>>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
>> ssorImpl.java:62)
>>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>>          at java.lang.reflect.Method.invoke(Method.java:498)
>>          at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInje
>> ctorImpl.java:139)
>>          at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget
>> (ResourceMethodInvoker.java:295)
>>          at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(Resourc
>> eMethodInvoker.java:249)
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:138)
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:107)
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTarge
>> tObject(ResourceLocatorInvoker.java:133)
>>          at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(Resour
>> ceLocatorInvoker.java:101)
>>          at org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchro
>> nousDispatcher.java:395)
>>
>>
>> Everything works fine with keycloak-2.2.1 version. Please confirm if this
>> is an issue or something is wrong.
>>
>> Thanks,
>> Jitendra Chouhan
>>
>>
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Nov 18 15:43:08 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Nov 2016 21:43:08 +0100
Subject: [keycloak-user] keycloak-session returns userModel as null in
 eventListenerProvider SPI
In-Reply-To: <CAJmz6fvbNWrUow_72o4uHAWRP7Q=cNYQ9yR+vWS=iQogZdWscw@mail.gmail.com>
References: <CAJmz6fvbNWrUow_72o4uHAWRP7Q=cNYQ9yR+vWS=iQogZdWscw@mail.gmail.com>
Message-ID: <ff849546-576b-6331-83f9-83881a59c157@redhat.com>


On 16/11/16 22:10, abhishek raghav wrote:
> Hi
>
> I am trying to implement a welcome email to newly registered users by admin.
> I am using event listener SPI and emailSenderProvider to do this.
>
> I am implementing a provider for the Event Listener SPI and notifying users
> by sending an email and react to create user OperationType using
> emailSenderProvider.
>
> Here i am overriding, onEvent method which gets triggered on any
> AdminEvents.
> Now inside this method, i am preparing the content and calling
> emailSenderProvider.send() which takes realmModel and userModel.
>
> The issue is, I am able to get the realmModel, but not the userModel.
> Code for reference:
> @Override
> public void onEvent(AdminEvent event, boolean includeRepresentation) {
> UserModel user =
> session.users().getUserById(event.getAuthDetails().getUserId(), realm);
> ......
event.getAuthDetails().getUserId() points to the details of the admin 
user, who is authenticated to the admin session. Not the user you are 
trying to edit. I bet that realm points to some custom realm you created 
(eg. "foo" ), however event.getAuthDetails().getUserId() points to the 
userID of admin user from "master" realm. Hence the 
session.users().getUserById returning null. Could that be the case?

If you want the ID of actual registered user, you likely need to decode 
it from resourcePath.

Hope it helps,
Marek
>
> Same works perfectly in the onEvent() for loginEvents.
>
> Is it that the newly created resource is not available in the session but
> when we try updating an existing resource, it is able to fetch it.
>
> Please help me where I am doing wrong. Or is there any other way to get the
> userModel object.
>
> Thanks in advance.
>
> Cheers
> Abhishek
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Nov 18 15:47:22 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Nov 2016 21:47:22 +0100
Subject: [keycloak-user] Issue with Rest API "Add a social login
 provider to the user"
In-Reply-To: <D453FD80.344E%rlaghuvaram@contractor.lb.com>
References: <D453FD80.344E%rlaghuvaram@contractor.lb.com>
Message-ID: <10a3cdaf-ef32-f88e-5f9d-7157c7fd2ccc@redhat.com>

You can take a look at some of our tests, which are using this admin 
endpoint. For example 
https://github.com/keycloak/keycloak/blob/master/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/UserTest.java

Marek

On 18/11/16 06:36, Laghuvaram, Raghu wrote:
> Team,
>
> I am using Rest API to create a user and add social login provider to that user. I am able to add the user but I am not able to add Social Login Provider. When I am trying to add Social Login Provider as
>
>
> kc = KeycloakBuilder.builder() //
>        .serverUrl("http://localhost:8080/auth") //
>        .realm("SocialDemo")//
>        .username("admin") //
>        .password("admin") //
>        .clientId("admin-cli") //
>        .resteasyClient(new ResteasyClientBuilder().connectionPoolSize(10).build()) //
>        .build();
>
> response = kc.realm("SocialDemo").users().get(createdUserId).addFederatedIdentity("facebook", link);
>
>
> I am getting NPE as below, Please help. Is there any other approach than what I am following?
>
>
>
>
> 00:27:14,145 ERROR [io.undertow.request] (default task-124) UT005023: Exception handling request to /auth/admin/realms/SocialDemo/users/87b95eea-a04c-48b2-87ce-b8e0e7eb43d8/federated-identity/facebook: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException
>
> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
>
> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
>
> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
>
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
>
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
>
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
>
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
> ...........
>
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>
> at java.lang.Thread.run(Thread.java:745)
>
> Caused by: java.lang.NullPointerException
>
> at org.keycloak.models.jpa.JpaUserProvider.addFederatedIdentity(JpaUserProvider.java:166)
>
> at org.keycloak.storage.UserStorageManager.addFederatedIdentity(UserStorageManager.java:158)
>
> at org.keycloak.models.cache.infinispan.UserCacheSession.addFederatedIdentity(UserCacheSession.java:621)
>
> at org.keycloak.models.UserFederationManager.addFederatedIdentity(UserFederationManager.java:163)
>
> at org.keycloak.services.resources.admin.UsersResource.addFederatedIdentity(UsersResource.java:478)
>
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
> .................
>
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>
> at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
>
> ... 37 more
>
> ________________________________
>
> Notice: This communication may contain privileged and/or confidential information. If you are not the intended recipient, please notify the sender by email, and immediately delete the message and any attachments without copying or disclosing them. LB may, for any reason, intercept, access, use, and disclose any information that is communicated by or through, or which is stored on, its networks, applications, services, and devices.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bburke at redhat.com  Fri Nov 18 15:52:45 2016
From: bburke at redhat.com (Bill Burke)
Date: Fri, 18 Nov 2016 15:52:45 -0500
Subject: [keycloak-user] Logout session issues
In-Reply-To: <HE1PR0301MB25704300D8A74340EE53FD7BD2B10@HE1PR0301MB2570.eurprd03.prod.outlook.com>
References: <HE1PR0301MB25704300D8A74340EE53FD7BD2B10@HE1PR0301MB2570.eurprd03.prod.outlook.com>
Message-ID: <9ed7ebe9-9656-e496-38d2-d4fb85aa70b1@redhat.com>

in the community, we only support support the latest release.  A lot has 
changed since 1.9.3.  1.9.4-1.9.8 resolved a ton of tickets and there's 
been a lot of features and refactoring since last April.  You can get 
commercial support from Red Hat for 1.9.x via the RH-SSO product.  
RH-SSO 7.0 is based off of Keycloak 1.9.8.

As for your question, hopefully somebody else chimes in as I know 
nothing about the spring security integration.  What you may have not 
configured in the Keycloak admin console page is the admin endpoint.  
This is a proprietary endpoint that keycloak adapters expose to receive 
back-channel logout events.  If this URL is not set, then a backchannel 
logout request is not sent to the application.  I"m not sure if our 
spring adapter supports backchannel logout.

Not much help, but its the most I can offer at the moment.


On 11/17/16 11:08 AM, Haim Vana wrote:
> Hi,
>
> We are working on Keycloak 1.9.3 with spring security, and trying to implement backchannel logout (one application performs logout and the second application is not aware of it).
>
> We would appreciate if you kindly could advice regarding the below:
>
>
> 1.       What is the best practice to handle backchannel logout ? more specifically where and how the access token validation should be performed (how the second application should know that the first one performed the logout ?) ?
>
>
>
> 2.       We have noticed that Keycloak spring security filters (straight from documentation) don't try to authenticate the token after it revokes. What's the best practice to handle access token expiration ? is it implemented by keycloak or should we handle it in the server or client side ?
>
>
>
> 3.       getToken() method of RefreshableKeycloakSecurityContext does not fail if the token is expired,  is it on purpose ? if so should we handle it in our application code ?
>
>
> 4.       We have implemented the KeycloakOIDCFilter, but it doesn't empty the spring security authentication object (SecurityContextHolder.getContext().getAuthentication()) after logout, as a result the client 'thinks' it is still authenticated, what's the best practice to handle it ?
>
>
>
> Thanks,
> Haim.
> The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From mposolda at redhat.com  Fri Nov 18 15:52:43 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Nov 2016 21:52:43 +0100
Subject: [keycloak-user] Is it possible to add OIDC client via command
 line?
In-Reply-To: <AM5PR0701MB25303E7ED859218D442D776FF4BE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
References: <AM5PR0701MB25303E7ED859218D442D776FF4BE0@AM5PR0701MB2530.eurprd07.prod.outlook.com>
Message-ID: <a75e5879-83f1-2c31-4f61-1d95c5cb9f36@redhat.com>

Yes, we have Client registration service see docs 
https://keycloak.gitbooks.io/securing-client-applications-guide/content/v/2.3/topics/client-registration.html 
.

And in latest version, we even have a Client Registration CLI, which is 
exactly what you need IMO. It's not yet documented online, but will be 
in next version. For now, you can decode docs from sources 
https://github.com/keycloak/securing_apps_guide/commit/13e1c545461224ce6162979bc161322a4b6384da

Marek

On 16/11/16 12:38, Michael Furman wrote:
> Hi,
> (I have searched for archives without success)
> I want to add OIDC client via command line.
> Similar how we add keycloak initial user (https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/initialization.html)
> Alternatively, can I configure access to rest APIs from localhost IP without the user name password authentication (and then I will add OIDC client via REST API http://www.keycloak.org/docs/rest-api/#_create_a_new_client)?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From bburke at redhat.com  Fri Nov 18 15:56:37 2016
From: bburke at redhat.com (Bill Burke)
Date: Fri, 18 Nov 2016 15:56:37 -0500
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <CACmuyEj3bduXhYC=2kq5MUYAhXucCDF2LsDeo2MX8wor63zajQ@mail.gmail.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
	<582CC40E.8080008@redhat.com>
	<CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
	<CACmuyEj3bduXhYC=2kq5MUYAhXucCDF2LsDeo2MX8wor63zajQ@mail.gmail.com>
Message-ID: <d7fa1963-73b2-dfda-fdd0-7060f5e17b8b@redhat.com>



On 11/17/16 5:50 PM, James Falkner wrote:
> Hey Grant - if it's a protected URL, and you've configured web origins
> correctly for the client, and the adapter, and the browser is sending the
> right stuff - then Keycloak adapter *should* add the CORS headers. I have a
> few demos I've created that work in this way, but they all use the official
> Red Hat SSO product, based on Keycloak 1.9.4.
RHSSO is based on 1.9.8.

Bill

From mposolda at redhat.com  Fri Nov 18 15:58:14 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 18 Nov 2016 21:58:14 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
Message-ID: <a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>

On 17/11/16 11:10, cen wrote:
> For question two, Keycloak uses h2 database by default which is stored
> locally in KC directory. But for production you probably don't want to
> use that. You should configure Keycloak to use an external database and
> backup that instead. You basically just modify standalone.xml and change
> the KeycloakDS datasource to use the database of your choice.
+1 . Never use h2 in production.

For LDAP, we didn't yet try to test the configuration like this. What we 
do is, that the configured "Connection URL" is used as the property 
"java.naming.provider.url" of the LDAP InitialContext. So if that is 
supported by Java OOTB, then it works. Otherwise probably not. You can 
doublecheck and possibly create JIRA with the example URLs of your AD DCs.

Thanks,
Marek
>
>
> mj je 17. 11. 2016 ob 11:01 napisal:
>> Hi all,
>>
>> We've just found keycloak, and are evaluating it. It's looking great so
>> far! We have two questions.
>>
>> Question one:
>> We are running three AD DCs, and would like to configure all three in
>> keycloak, to get failover & redundancy.
>> To do this, I have simply configured three comma-seperated DCs in the
>> ldap URL field. Keycloak accepted this input, but I'm not sure that all
>> three will be  used...
>> Is the above the way to provide multiple ldap servers to keycloak?
>>
>> Question two:
>> How about backing up keycloak? We are running from an extracted tar.gz.
>> If we keep backups of this keycloak-directory, is that enough? Does
>> keycloak need to be shutdown at backup time?
>>
>> Best regards,
>> MJ
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lists at merit.unu.edu  Sat Nov 19 09:22:43 2016
From: lists at merit.unu.edu (mj)
Date: Sat, 19 Nov 2016 15:22:43 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
	<a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
Message-ID: <2117cd64-1e52-59b8-513c-47dd2d164b1a@merit.unu.edu>

Hi Marek,

On 11/18/2016 09:58 PM, Marek Posolda wrote:
> +1 . Never use h2 in production.
ok, duly noted, thanks both.

> For LDAP, we didn't yet try to test the configuration like this. What we
> do is, that the configured "Connection URL" is used as the property
> "java.naming.provider.url" of the LDAP InitialContext. So if that is
> supported by Java OOTB, then it works. Otherwise probably not. You can
> doublecheck and possibly create JIRA with the example URLs of your AD DCs.

Ok, reading this: 
http://stackoverflow.com/questions/40218516/a-way-to-define-implement-failover-ldap-servers-in-java-code
make me think that we should be able to provide multiple ldap servers, 
space seperated.

Trying this:
Connection URL #1:
ldaps://nonexistant-dns.company.com:636 ldaps://ldap.company.com:636
Result: connection OK, authentication OK
(It ignores the non-existant URL, and talks to the second URL)

Connection URL #2:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from ldap1.company.com
Result: timeout in the logs, and connection does NOT work

Connection URL #3:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from ldap2.company.com
Result: connection OK, authentication OK

My conclusion #1: the field accepts valid and invalid urls, invalid URLs 
are silently skipped, and the second (valid) url is checked and 
validated. (expected: some error about the first invalid URL)

My conclusion #2: further to coclusion #1, it seems that keycloak is 
able to skip URLs, so it should also be able to skip to the next url, if 
a server happens to be down, but this does not happen, authentication 
not possible, and the check fails. It 'hangs' on the non-responding URL.

For a piece of software so vital for authentication, we feel that 
multiple ldap servers (failover) is a must.

So, you you think that this is worth filing 'a JIRA' about?

MJ

From sblanc at redhat.com  Sat Nov 19 13:28:24 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 19 Nov 2016 19:28:24 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
	<a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
Message-ID: <CAMZCGg-A_UYZLx8UNgNQRCPheOrqphF_PxRJyUXmoMen-rWRjg@mail.gmail.com>

For LDAP, looks like it must be space separated and comma separated (see
http://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html) . I just
tried with "ldap://localhost:10359 ldap://localhost:10389" (the first one
is incorrect)
 and when pressing "Test connection" it says "success" so apparently it
fail over correctly.

On Fri, Nov 18, 2016 at 9:58 PM, Marek Posolda <mposolda at redhat.com> wrote:

> On 17/11/16 11:10, cen wrote:
> > For question two, Keycloak uses h2 database by default which is stored
> > locally in KC directory. But for production you probably don't want to
> > use that. You should configure Keycloak to use an external database and
> > backup that instead. You basically just modify standalone.xml and change
> > the KeycloakDS datasource to use the database of your choice.
> +1 . Never use h2 in production.
>
> For LDAP, we didn't yet try to test the configuration like this. What we
> do is, that the configured "Connection URL" is used as the property
> "java.naming.provider.url" of the LDAP InitialContext. So if that is
> supported by Java OOTB, then it works. Otherwise probably not. You can
> doublecheck and possibly create JIRA with the example URLs of your AD DCs.
>
> Thanks,
> Marek
> >
> >
> > mj je 17. 11. 2016 ob 11:01 napisal:
> >> Hi all,
> >>
> >> We've just found keycloak, and are evaluating it. It's looking great so
> >> far! We have two questions.
> >>
> >> Question one:
> >> We are running three AD DCs, and would like to configure all three in
> >> keycloak, to get failover & redundancy.
> >> To do this, I have simply configured three comma-seperated DCs in the
> >> ldap URL field. Keycloak accepted this input, but I'm not sure that all
> >> three will be  used...
> >> Is the above the way to provide multiple ldap servers to keycloak?
> >>
> >> Question two:
> >> How about backing up keycloak? We are running from an extracted tar.gz.
> >> If we keep backups of this keycloak-directory, is that enough? Does
> >> keycloak need to be shutdown at backup time?
> >>
> >> Best regards,
> >> MJ
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From lists at merit.unu.edu  Sat Nov 19 13:48:22 2016
From: lists at merit.unu.edu (mj)
Date: Sat, 19 Nov 2016 19:48:22 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <CAMZCGg-A_UYZLx8UNgNQRCPheOrqphF_PxRJyUXmoMen-rWRjg@mail.gmail.com>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
	<a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
	<CAMZCGg-A_UYZLx8UNgNQRCPheOrqphF_PxRJyUXmoMen-rWRjg@mail.gmail.com>
Message-ID: <6308da08-9f12-d162-3ede-05908b6f1fad@merit.unu.edu>

Hi Sebastien,

On 11/19/2016 07:28 PM, Sebastien Blanc wrote:
> For LDAP, looks like it must be space separated and comma separated (see
> http://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html) . I just
> tried with "ldap://localhost:10359 ldap://localhost:10389" (the first
> one is incorrect)
>  and when pressing "Test connection" it says "success" so apparently it
> fail over correctly.
Yes, I see that too. See example #1 in my last email. (only difference: 
me: wrong dns name, you: wrong port number)

However, what I'm concerned about is my example #2, where both URLs are 
in fact correct, but only the second one is responding.
(in my case: iptables dropping traffic, but could also be something 
else, like malfuctioning ldap server)

The result of this seems to be that things NO LONGER work (a timeout). 
At least in my testing...

Do you not see that?

MJ

From sblanc at redhat.com  Sat Nov 19 13:54:36 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 19 Nov 2016 18:54:36 +0000
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <6308da08-9f12-d162-3ede-05908b6f1fad@merit.unu.edu>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
	<a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
	<CAMZCGg-A_UYZLx8UNgNQRCPheOrqphF_PxRJyUXmoMen-rWRjg@mail.gmail.com>
	<6308da08-9f12-d162-3ede-05908b6f1fad@merit.unu.edu>
Message-ID: <CAMZCGg9PDb5PDx9=iWXfT9f7_xD2CqDix90C9iWymQcM3zVRnw@mail.gmail.com>

Sorry I missed your latest email withy the examples, for some reasons it
ended in my spam box.
Looks like you spotted some bugs so yes opening a jira is the best thing to
do.

Le sam. 19 nov. 2016 ? 19:48, mj <lists at merit.unu.edu> a ?crit :

Hi Sebastien,

On 11/19/2016 07:28 PM, Sebastien Blanc wrote:
> For LDAP, looks like it must be space separated and comma separated (see
> http://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html) . I just
> tried with "ldap://localhost:10359 ldap://localhost:10389" (the first
> one is incorrect)
>  and when pressing "Test connection" it says "success" so apparently it
> fail over correctly.
Yes, I see that too. See example #1 in my last email. (only difference:
me: wrong dns name, you: wrong port number)

However, what I'm concerned about is my example #2, where both URLs are
in fact correct, but only the second one is responding.
(in my case: iptables dropping traffic, but could also be something
else, like malfuctioning ldap server)

The result of this seems to be that things NO LONGER work (a timeout).
At least in my testing...

Do you not see that?

MJ

From lists at merit.unu.edu  Mon Nov 21 13:40:49 2016
From: lists at merit.unu.edu (lists)
Date: Mon, 21 Nov 2016 19:40:49 +0100
Subject: [keycloak-user] looking for samples and howto's
Message-ID: <39c9d197-6f88-e2cb-eaa6-f65eb7d77717@merit.unu.edu>

Hi,

I have been playing with keycloak for the last two days, and while it 
looks beatiful and has all the features (plus many more!) we (think) 
we're looking for, we're having a hard time getting any client to work, 
with one exception: the builtin 'account' client.

We
- setup apache2 reverse proxy so keycloak runs on regular https port
- configured Let's Encrypt SSL
- added our realm & configured our samba AD, synced users/groups
- configured HAProxy for AD DC failover
- configured and tested kerberos authentication
everything works great, but it's all within the keycloak system. 
(specifically: the builtin 'accounts' client)

We've not had much luck at all making an external product authenticate 
using keycloak IdP / SAML. We thought an easy client would be perhaps 
simplesamlphp, or wordpress plugins ("miniOrange SSO using SAML 2.0" and 
"SAML 2.0 Single Sign-On") but there are no examples / step-by-step 
guides specific to keycloak that we can find.

There is a lot of keycloak-related talk on jboss, war, wildfly, 
keycloak's client adapters, etc, but to us, these all seem to be more 
'advanced usage', rather than using a 'regular' SAML capable client.

Or we're beginning to think that perhaps we misunderstand what keycloak 
can do for us...

Hence our request here: Does anyone have a list of simple steps 
("provide this, check this, fill in this here, etc, etc") for some 
well-known external mainstream easily obtainable SAML clients?

We would be very grateful :-)


From sthorger at redhat.com  Mon Nov 21 16:57:41 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 21 Nov 2016 22:57:41 +0100
Subject: [keycloak-user] Keycloak 2.4.0.CR1 released
Message-ID: <CAJgngAdLgreYHZvH3Sv+wkOL66aT_aHJYiqDzjZ6rtUGLburtg@mail.gmail.com>

We've just released Keycloak 2.4.0.CR1. This release is mainly a
maintenance release and we've done a lot of minor improvements and bug
fixes.
For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fixVersion%20%3D%202.4.0.CR1>
and
to download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.

From colin.ritchie at tasktop.com  Mon Nov 21 17:17:28 2016
From: colin.ritchie at tasktop.com (Colin Ritchie)
Date: Mon, 21 Nov 2016 14:17:28 -0800
Subject: [keycloak-user] My KEYCLOAK_SESSION cookie is always wrong
In-Reply-To: <CAJgngAdZ3xKHpopZfsAt1sTGz3h4NQ3ahoDKOUrh9gaMZNHhvw@mail.gmail.com>
References: <CAOHOMB-SPkhahHTRAvSPUBCjXBBL1ECNF17GM_3abAqZmOnHRw@mail.gmail.com>
	<CAJgngAdZ3xKHpopZfsAt1sTGz3h4NQ3ahoDKOUrh9gaMZNHhvw@mail.gmail.com>
Message-ID: <CAOHOMB-8KAgWVrwb5HOriiG8zURGY1DtVK9ya7cx0M-L7F=MbA@mail.gmail.com>

Thanks Stian.  You were right, although there were 2 issues.  The proxy was
messing with the cookies, and I have resolved this.  But I am still
periodically seeing issues when we are testing multiple different keycloak
installs from the same browser - sometimes there are multiple session
cookies, and I end up having to clear out all of them to get Keycloak to
start working again.  I have not been able to reproduce this consistently
yet, though.

On Tue, Nov 15, 2016 at 3:27 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Looks like your reverse proxy is for some reason messing with the cookies
>
> On 14 November 2016 at 20:47, Colin Ritchie <colin.ritchie at tasktop.com>
> wrote:
>
>> Hello,
>>
>> I am running keycloak behind an reverse proxy.  After I log in, when
>> visiting the keycloak admin, the page refreshes every 5 seconds.  It
>> appears to be because my session cookie does not match the expected
>> KEYCLOAK_SESSION value in the server response.
>>
>> When I monitor the traffic between the browser and keycloak, the cookie
>> sent to keycloak matches the cookie in the response.
>>
>> When I put a breakpoint in the login.status.iframe.html getCookie()
>> method,
>> I see the desired cookie with the incorrect name
>> "!Proxy!clusterProxyKEYCLOAK_SESSION", and I sometimes see a an invalid
>> cookie with the correct name "KEYCLOAK_SESSION".
>>
>> example:
>> "
>> !Proxy!clusterProxyKEYCLOAK_SESSION=master/127ff890-6fde-47f
>> 5-8a81-039c67d0a261/c7b9427b-eb59-4b2a-8b3c-f8436c130613"
>>
>> Does anyone know what is happening here?
>>
>> --
>> *Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>


-- 
*Colin Ritchie **|* *Engineering Manager* *|* *Tasktop Technologies*

From juandiego83 at gmail.com  Mon Nov 21 19:11:17 2016
From: juandiego83 at gmail.com (Juan Diego)
Date: Mon, 21 Nov 2016 19:11:17 -0500
Subject: [keycloak-user] Failed to verify token
Message-ID: <CAJGEj6cJTpsrTTgq+8y9JG0atVY=bbf1V1sEWckHW-ztHBU9Sw@mail.gmail.com>

Hi,

I havent done this in a while.  I have keycloak  1.9.8 running in a
server.  I created a front-end and backend, front with angularjs backend
with java and wildfly10.
The front-end works, but when I try to send requests to my back end I get
the following:

18:51:42,377 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-38) Failed to verify token:
org.keycloak.common.VerificationException:
Invalid token signature.
        at org.keycloak.RSATokenVerifier.toAccessToken(
RSATokenVerifier.java:73)
        at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.
java:39)
        at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.
java:35)
     ...

On my browser I get this
401 Unauthorized - http://localhost:8080/ramona-backend/configuracion/
grabarLista",

WWW-AuthenticateBearer realm="ramona", error="invalid_token",
error_description="Invalid token signature."x-powered-byUndertow/1


But I can see that a token is being sent


Accept application/json, text/plain, */*
Accept-Encoding gzip, deflateAccept-Languageen-US,en;q=0.5
Authorization Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1NmQxMTg2OS02M2ZiLT
QwZDEtYjllZS1jY2I0NDIxMzVlNWMiLCJleHAiOjE0Nzk3NzI4NzEsIm5iZi
I6MCwiaWF0IjoxNDc5NzcyNTcxLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0Oj
gwODAvYXV0aC9yZWFsbXMvcmFtb25hIiwiYXVkIjoicmFtb25hLWZyb250ZW
5kIiwic3ViIjoiY2U1MTZiNmMtMjBmNS00NWQ2LTk2ZjctNTE5OTliNDEyMTZk
IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicmFtb25hLWZyb250ZW5kIiwibm
9uY2UiOiI4MTJhNTJmYy0xMjY4LTQwZGQtOWU0NC0wZGQ3OTE4NjQxYjYiLC
JzZXNzaW9uX3N0YXRlIjoiMzM2ZTczZWQtM2M4NS00MzZhLThmNDUtZTIzY2
Q1ZDdkYTM3IiwiY2xpZW50X3Nlc3Npb24iOiI3NmVjYjRlMS1jYjVmLTRkNj
YtOWU2Zi1jMTNiMTJlZGExMDAiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDov
L3JhbW9uYS5sb2NhbGRvbWFpbiIsImh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC
IsImh0dHA6Ly9sb2NhbGhvc3QiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIj
pbInVzdWFyaW9zIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6ey
Jyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX0sIm
5hbWUiOiJyYW1vbmEgIiwicHJlZmVycmVkX3VzZXJuYW1lIjoicmFtb25hIi
wiZ2l2ZW5fbmFtZSI6InJhbW9uYSIsImZhbWlseV9uYW1lIjoiIiwiZW1haW
wiOiJqdWFuZGllZ284M0BnbWFpbC5jb20ifQ.b1Fz1R3eVW22qO83mqn-
OSYxlA5pRYK-fQOPeW1TegD93_DrZXXJac7ZOlFv2yS58KWDixffVZz4
7QwmF_AtMrJTZ212zuTvf6tXQjja4EVMAfSN4ZOiXK6VvRyKkfElprwzqRkinjl5wDX-
8Thw3S2efLrroMcY1qtKxRFdXzH5Ms19-r2bW8zpxqG4V6QI7quvHGE2JlDY
EiI0Vuf9UiSMd1lCy2hdIhkNU5hryB8CX7ts2243M0kiG0KnJ6VQGZzNxfn0
HHUkY3EIhb07xgbnBqiCX-SgVwJOLBSxSmQ9_wVXyOAK6ZoZK-
59NaSDn7gDj5CNoXa9I4USGEXRyg
Host localhost:8080
Origin http://ramona.localdomain
Referer http://ramona.localdomain/configuracionUser-AgentMozilla/5.0 (X11;
Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0

the front end is public the backend is bearer only in the same realm Web
Origins is
http://ramona.localdomain
http://localhost:8080
http://localhost and valid redirect uris

Thanks,

JD

From juandiego83 at gmail.com  Mon Nov 21 19:40:56 2016
From: juandiego83 at gmail.com (Juan Diego)
Date: Mon, 21 Nov 2016 19:40:56 -0500
Subject: [keycloak-user] Failed to verify token
In-Reply-To: <CAJGEj6cJTpsrTTgq+8y9JG0atVY=bbf1V1sEWckHW-ztHBU9Sw@mail.gmail.com>
References: <CAJGEj6cJTpsrTTgq+8y9JG0atVY=bbf1V1sEWckHW-ztHBU9Sw@mail.gmail.com>
Message-ID: <CAJGEj6cdRbaFz-JdJDJR52LLGgXBJCrUkV-zBNYL=p1bwbZo8A@mail.gmail.com>

Hi,

Sorry I just didnt realize that I was compiling an old version of my
project.


On Mon, Nov 21, 2016 at 7:11 PM, Juan Diego <juandiego83 at gmail.com> wrote:

> Hi,
>
> I havent done this in a while.  I have keycloak  1.9.8 running in a
> server.  I created a front-end and backend, front with angularjs backend
> with java and wildfly10.
> The front-end works, but when I try to send requests to my back end I get
> the following:
>
> 18:51:42,377 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
> (default task-38) Failed to verify token: org.keycloak.common.VerificationException:
> Invalid token signature.
>         at org.keycloak.RSATokenVerifier.toAccessToken(RSATokenVerifier
> .java:73)
>         at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.j
> ava:39)
>         at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.j
> ava:35)
>      ...
>
> On my browser I get this
> 401 Unauthorized - http://localhost:8080/ramona-b
> ackend/configuracion/grabarLista",
>
> WWW-AuthenticateBearer realm="ramona", error="invalid_token",
> error_description="Invalid token signature."x-powered-byUndertow/1
>
>
> But I can see that a token is being sent
>
>
> Accept application/json, text/plain, */*
> Accept-Encoding gzip, deflateAccept-Languageen-US,en;q=0.5
> Authorization Bearer eyJhbGciOiJSUzI1NiJ9.eyJqdGkiO
> iI1NmQxMTg2OS02M2ZiLTQwZDEtYjllZS1jY2I0NDIxMzVlNWMiLCJleHAiOjE0
> Nzk3NzI4NzEsIm5iZiI6MCwiaWF0IjoxNDc5NzcyNTcxLCJpc3MiOiJod
> HRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvcmFtb25hIiwiYXVkI
> joicmFtb25hLWZyb250ZW5kIiwic3ViIjoiY2U1MTZiNmMtMjBmNS00NWQ2L
> Tk2ZjctNTE5OTliNDEyMTZkIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoicmFtb
> 25hLWZyb250ZW5kIiwibm9uY2UiOiI4MTJhNTJmYy0xMjY4LTQwZGQtOWU0NC0w
> ZGQ3OTE4NjQxYjYiLCJzZXNzaW9uX3N0YXRlIjoiMzM2ZTczZWQtM2M4N
> S00MzZhLThmNDUtZTIzY2Q1ZDdkYTM3IiwiY2xpZW50X3Nlc3Npb24iOiI3N
> mVjYjRlMS1jYjVmLTRkNjYtOWU2Zi1jMTNiMTJlZGExMDAiLCJhbGxvd2VkL
> W9yaWdpbnMiOlsiaHR0cDovL3JhbW9uYS5sb2NhbGRvbWFpbiIsImh0dHA6L
> y9sb2NhbGhvc3Q6ODA4MCIsImh0dHA6Ly9sb2NhbGhvc3QiXSwicmVhbG1fYWNj
> ZXNzIjp7InJvbGVzIjpbInVzdWFyaW9zIl19LCJyZXNvdXJjZV9hY2Nlc
> 3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZ
> XctcHJvZmlsZSJdfX0sIm5hbWUiOiJyYW1vbmEgIiwicHJlZmVycmVkX3VzZ
> XJuYW1lIjoicmFtb25hIiwiZ2l2ZW5fbmFtZSI6InJhbW9uYSIsImZhbWlse
> V9uYW1lIjoiIiwiZW1haWwiOiJqdWFuZGllZ284M0BnbWFpbC5jb20ifQ.
> b1Fz1R3eVW22qO83mqn-OSYxlA5pRYK-fQOPeW1TegD93_DrZXXJac7ZOlFv
> 2yS58KWDixffVZz47QwmF_AtMrJTZ212zuTvf6tXQjja4EVMAfSN
> 4ZOiXK6VvRyKkfElprwzqRkinjl5wDX-8Thw3S2efLrroMcY1qtKxRFdXzH5
> Ms19-r2bW8zpxqG4V6QI7quvHGE2JlDYEiI0Vuf9UiSMd1lCy2hdIhkNU5hr
> yB8CX7ts2243M0kiG0KnJ6VQGZzNxfn0HHUkY3EIhb07xgbnBqiCX-SgVwJOLBSxSmQ
> 9_wVXyOAK6ZoZK-59NaSDn7gDj5CNoXa9I4USGEXRyg
> Host localhost:8080
> Origin http://ramona.localdomain
> Referer http://ramona.localdomain/configuracionUser-AgentMozilla/5.0
> (X11; Fedora; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0
>
> the front end is public the backend is bearer only in the same realm Web
> Origins is
> http://ramona.localdomain
> http://localhost:8080
> http://localhost and valid redirect uris
>
> Thanks,
>
> JD
>
>

From mposolda at redhat.com  Tue Nov 22 02:46:04 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 22 Nov 2016 08:46:04 +0100
Subject: [keycloak-user] looking for samples and howto's
In-Reply-To: <39c9d197-6f88-e2cb-eaa6-f65eb7d77717@merit.unu.edu>
References: <39c9d197-6f88-e2cb-eaa6-f65eb7d77717@merit.unu.edu>
Message-ID: <b6677148-0daf-5cfb-edc0-4ec19058b9c0@redhat.com>

Hi,

did you try our keycloak-examples distribution? You can download it from 
the keycloak homepage. Then you can try the existing examples. Probably 
those in directories:
- saml
- broker/saml-broker-authentication

will be most interesting for you.

Marek

On 21/11/16 19:40, lists wrote:
> Hi,
>
> I have been playing with keycloak for the last two days, and while it
> looks beatiful and has all the features (plus many more!) we (think)
> we're looking for, we're having a hard time getting any client to work,
> with one exception: the builtin 'account' client.
>
> We
> - setup apache2 reverse proxy so keycloak runs on regular https port
> - configured Let's Encrypt SSL
> - added our realm & configured our samba AD, synced users/groups
> - configured HAProxy for AD DC failover
> - configured and tested kerberos authentication
> everything works great, but it's all within the keycloak system.
> (specifically: the builtin 'accounts' client)
>
> We've not had much luck at all making an external product authenticate
> using keycloak IdP / SAML. We thought an easy client would be perhaps
> simplesamlphp, or wordpress plugins ("miniOrange SSO using SAML 2.0" and
> "SAML 2.0 Single Sign-On") but there are no examples / step-by-step
> guides specific to keycloak that we can find.
>
> There is a lot of keycloak-related talk on jboss, war, wildfly,
> keycloak's client adapters, etc, but to us, these all seem to be more
> 'advanced usage', rather than using a 'regular' SAML capable client.
>
> Or we're beginning to think that perhaps we misunderstand what keycloak
> can do for us...
>
> Hence our request here: Does anyone have a list of simple steps
> ("provide this, check this, fill in this here, etc, etc") for some
> well-known external mainstream easily obtainable SAML clients?
>
> We would be very grateful :-)
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From filip_bielejec at trimble.com  Tue Nov 22 03:14:59 2016
From: filip_bielejec at trimble.com (Filip Bielejec)
Date: Tue, 22 Nov 2016 09:14:59 +0100
Subject: [keycloak-user] keycloak auth-method changes to BASIC
Message-ID: <CAMqQeudXeDdrCk2gi8UwnCxZ_pKe14GB9Qu=wic5t6Qy12UhYQ@mail.gmail.com>

Putting an webservice EJB  annotated with WebContext changes the (already
configured) authorization method from KEYCLOAK to BASIC and effectively
locks the client out.

I modified the keycloak product-demo example to demonstrate the problem:

https://github.com/fbielejec/keycloak-demo

Please note that the bean isn't called anywhere it is *just* on the
classpath. I'm not sure if this is the desired behaviour.

Best,
fbielejec

From glaissard at axway.com  Tue Nov 22 06:28:10 2016
From: glaissard at axway.com (Gerard Laissard)
Date: Tue, 22 Nov 2016 11:28:10 +0000
Subject: [keycloak-user] authz and SAML
Message-ID: <AM3PR01MB0454D9C353B187A1F60C845BB7B40@AM3PR01MB0454.eurprd01.prod.exchangelabs.com>

HI,

Our applications (resource servers) are using SAML to authenticate users with Keycloak. We would like to use authorization services.

Authorization service can be activated on OIDC clients, will it be possible to activate authorization service on SAML client ?
Is there any way to use authz with a SAML client ?

Thanks
Gerard


From psilva at redhat.com  Tue Nov 22 06:55:37 2016
From: psilva at redhat.com (Pedro Igor)
Date: Tue, 22 Nov 2016 09:55:37 -0200
Subject: [keycloak-user] authz and SAML
In-Reply-To: <AM3PR01MB0454D9C353B187A1F60C845BB7B40@AM3PR01MB0454.eurprd01.prod.exchangelabs.com>
References: <AM3PR01MB0454D9C353B187A1F60C845BB7B40@AM3PR01MB0454.eurprd01.prod.exchangelabs.com>
Message-ID: <c8d5c1e0-0bb2-4847-9ac2-c550c4158122@getmailbird.com>

Hi Gerard,

? ? Right now, AuthZ Services are heavily based on OAuth2+OIDC. Right now, you can only use it when your apps are talking OIDC.

? ? Beside that, our enforcers are only enabled for - some - OIDC adapters such as: undertow, wildfly, tomcat and eap.

? ? The reason why we started with OIDC is that it fits better with the Authorization API and most use cases around API security. Can you open a JIRA, please ? I'm going to talk with @Stian about it and see when we are able to enable authz to SAML.

Regards.
Pedro Igor
On 11/22/2016 9:29:25 AM, Gerard Laissard <glaissard at axway.com> wrote:
HI,

Our applications (resource servers) are using SAML to authenticate users with Keycloak. We would like to use authorization services.

Authorization service can be activated on OIDC clients, will it be possible to activate authorization service on SAML client ?
Is there any way to use authz with a SAML client ?

Thanks
Gerard

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From lists at merit.unu.edu  Tue Nov 22 06:56:24 2016
From: lists at merit.unu.edu (lists)
Date: Tue, 22 Nov 2016 12:56:24 +0100
Subject: [keycloak-user] looking for samples and howto's
In-Reply-To: <b6677148-0daf-5cfb-edc0-4ec19058b9c0@redhat.com>
References: <39c9d197-6f88-e2cb-eaa6-f65eb7d77717@merit.unu.edu>
	<b6677148-0daf-5cfb-edc0-4ec19058b9c0@redhat.com>
Message-ID: <76e51f7e-35a1-6de4-bef7-f392b8342a7d@merit.unu.edu>

Hi Marek,

On 22-11-2016 8:46, Marek Posolda wrote:
> Hi,
>
> did you try our keycloak-examples distribution? You can download it from
> the keycloak homepage. Then you can try the existing examples. Probably
> those in directories:
> - saml
> - broker/saml-broker-authentication
>
> will be most interesting for you.

* I downloaded the keycloak-examples (2.4.0.CR1) distr on another 
machine, and started the server:
keycloak-demo-2.4.0.CR1/keycloak/bin/standalone.sh

* added admin user and were able to login Wildfly at localhost:9990

In WildFly I see a deployed keycloak-server.war and that's about it. Is 
this the no-config required demo distribution?

I'm not sure how to continue..? I can see the directories saml and 
broker/saml-broker-authentication in ./examples, but what to do with them?

Apologies for the basic questions....	

MJ

From robotirlandes at gmail.com  Tue Nov 22 08:11:29 2016
From: robotirlandes at gmail.com (venito camelas)
Date: Tue, 22 Nov 2016 10:11:29 -0300
Subject: [keycloak-user] Token introspection
Message-ID: <CA+EL-fJdmxZJQTYgTuXx6TdNLskFW7DoieZqfjW=YYuW27gyfw@mail.gmail.com>

Is it possible to have an app making token introspection requests for
tokens not issued for it? I'll try to explain:

Keycloak issues tokens to be used in a specific Resource server, the RS
then validates the token (self contained info or token introspection
endpoint). The situation is something like this:

          1                     3
    ---------------  KK---------------
   |                                     |
   |                   2                |
Client ----------------------------- RS

1 - Client gets token to use with RS
2 - Client uses token to make a request to RS
3 - RS makes a token introspection request


Now, I want to add a router in the middle, I'd like the router to make the
token introspection request (with the token issued for the RS) and then
allow to go to the RS if everything is ok:


          1
    ---------------  KK---------------
   |                   |                 |
   |                 3|                 |
   |          2       |         4      |
Client ---------Router---------- RS

1 - Client gets token to use with RS
2 - Client uses token to make a request to RS
3 - Router intercepts the request and validates token (expiration and stuff
like that)
4 - If validation is ok, the router allows the request to go to the RS, the
RS then validates scopes and specific stuff.


Thank you

From sblanc at redhat.com  Tue Nov 22 09:04:30 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 22 Nov 2016 15:04:30 +0100
Subject: [keycloak-user] keycloak auth-method changes to BASIC
In-Reply-To: <CAMqQeudXeDdrCk2gi8UwnCxZ_pKe14GB9Qu=wic5t6Qy12UhYQ@mail.gmail.com>
References: <CAMqQeudXeDdrCk2gi8UwnCxZ_pKe14GB9Qu=wic5t6Qy12UhYQ@mail.gmail.com>
Message-ID: <CAMZCGg9hZYGsXQ1xYSqHaG2TXXjCGk2ek2wYBNG76A8KOxCNQA@mail.gmail.com>

I can indeed reproduce your problem but tbh I have no idea if this is an
expected behaviour or not. And if it is a bug not sure if it's on the
undertow or keycloak.
Anyway could you open a ticket for this ?


On Tue, Nov 22, 2016 at 9:14 AM, Filip Bielejec <filip_bielejec at trimble.com>
wrote:

> Putting an webservice EJB  annotated with WebContext changes the (already
> configured) authorization method from KEYCLOAK to BASIC and effectively
> locks the client out.
>
> I modified the keycloak product-demo example to demonstrate the problem:
>
> https://github.com/fbielejec/keycloak-demo
>
> Please note that the bean isn't called anywhere it is *just* on the
> classpath. I'm not sure if this is the desired behaviour.
>
> Best,
> fbielejec
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jfalkner at redhat.com  Tue Nov 22 09:33:42 2016
From: jfalkner at redhat.com (James Falkner)
Date: Tue, 22 Nov 2016 09:33:42 -0500
Subject: [keycloak-user] No 'Access-Control-Allow-Origin' header is
 present on the requested resource
In-Reply-To: <d7fa1963-73b2-dfda-fdd0-7060f5e17b8b@redhat.com>
References: <CAO_iSbkfTupvZLb=90LiwPnDQVi9zCGVJBjfwxBnV8dgdZCScQ@mail.gmail.com>
	<3C302B8D-3A73-4082-A5C5-31E6E858C1E9@edlogics.com>
	<CAO_iSbmoiiyLce359kXN+DTddRbBo91sEatHZnnt6U=mH6thgA@mail.gmail.com>
	<CAO_iSb=tfKy2vHETBFUmwf+CPtj5i79TDgMaJWGEdKmGASF8BA@mail.gmail.com>
	<23562AA7-5108-4840-899F-2C88B345E166@edlogics.com>
	<CAO_iSbmc5K+NsyPo_0ZWMf_cbpHjSCi78KREFymTM3XjhYJ2eg@mail.gmail.com>
	<582CC40E.8080008@redhat.com>
	<CAO_iSbmibAQMg-QTmYAVe5kVAKGLM=je4RNw-atA9C_VV9pzBg@mail.gmail.com>
	<CACmuyEj3bduXhYC=2kq5MUYAhXucCDF2LsDeo2MX8wor63zajQ@mail.gmail.com>
	<d7fa1963-73b2-dfda-fdd0-7060f5e17b8b@redhat.com>
Message-ID: <58345746.3080802@redhat.com>

Dang, you'd think I would have remembered that[1]! Guess the ole noggin 
ain't what it used to be..

-James

[1] http://lists.jboss.org/pipermail/keycloak-user/2016-June/006704.html

> Bill Burke <mailto:bburke at redhat.com>
> November 18, 2016 at 3:56 PM
> RHSSO is based on 1.9.8.
>
> Bill
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> James Falkner <mailto:jfalkner at redhat.com>
> November 17, 2016 at 5:50 PM
> Hey Grant - if it's a protected URL, and you've configured web origins 
> correctly for the client, and the adapter, and the browser is sending 
> the right stuff - then Keycloak adapter *should* add the CORS headers. 
> I have a few demos I've created that work in this way, but they all 
> use the official Red Hat SSO product, based on Keycloak 1.9.4.
>
> If you use "curl" with the same headers, does it fail too? See the end 
> of 
> http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html 
> for an example of how to obtain a token and issue a request using curl.
>
> -James
>
>
> Grant Marrow <mailto:grantmarrow at gmail.com>
> November 16, 2016 at 3:51 PM
>
> Hi James
>
> Yes I have used the chrome and firefox  postmaster addon to process 
> the same HTTP GET request to my rest service.
>
> During this request I added the authorisation bearer header with a 
> valid token and it still returned the same error.
>
> The only time it worked was when I  stripped out keycloak completely 
> and just added the standard cors configuration in my web.xml of my 
> service worked successfully. That's why I'm leaning to the fact that 
> it might be a keycloak error.
>
> Regards
> Grant
>
> James Falkner <mailto:jfalkner at redhat.com>
> November 16, 2016 at 3:39 PM
> In the developer console in your browser, can you verify that the 
> proper Authorization header is being passed in the REST call? 
> Something like 'Authorization: bearer <token>'.
>
> -James
>
>
> Grant Marrow <mailto:grantmarrow at gmail.com>
> November 16, 2016 at 3:22 PM
> I'm familiar with cors. I have used the exact same setup with versions 
> 1.3,
> 1.4 and 1.9 version of keycloak. This problem has started since I upgraded
> to version 2.3 if keycloak.
>
> I have also tried adding the cors-enabled-headers and cors-enabled-methods
> properties to the keycloak.json file on my rest service application and
> that did not work as well.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From filip_bielejec at trimble.com  Tue Nov 22 10:24:01 2016
From: filip_bielejec at trimble.com (Filip Bielejec)
Date: Tue, 22 Nov 2016 16:24:01 +0100
Subject: [keycloak-user] keycloak auth-method changes to BASIC
In-Reply-To: <CAMZCGg9hZYGsXQ1xYSqHaG2TXXjCGk2ek2wYBNG76A8KOxCNQA@mail.gmail.com>
References: <CAMqQeudXeDdrCk2gi8UwnCxZ_pKe14GB9Qu=wic5t6Qy12UhYQ@mail.gmail.com>
	<CAMZCGg9hZYGsXQ1xYSqHaG2TXXjCGk2ek2wYBNG76A8KOxCNQA@mail.gmail.com>
Message-ID: <CAMqQeudmXi7mX74KEyfZLrJi2CiON-wQTiQ+WmwJozvmekd-Kw@mail.gmail.com>

This is now reported in https://issues.jboss.org/projects/KEYCLOAK/issues/
KEYCLOAK-3966?filter=allopenissues

f.

On Tue, Nov 22, 2016 at 3:04 PM, Sebastien Blanc <sblanc at redhat.com> wrote:

> I can indeed reproduce your problem but tbh I have no idea if this is an
> expected behaviour or not. And if it is a bug not sure if it's on the
> undertow or keycloak.
> Anyway could you open a ticket for this ?
>
>
> On Tue, Nov 22, 2016 at 9:14 AM, Filip Bielejec <
> filip_bielejec at trimble.com> wrote:
>
>> Putting an webservice EJB  annotated with WebContext changes the (already
>> configured) authorization method from KEYCLOAK to BASIC and effectively
>> locks the client out.
>>
>> I modified the keycloak product-demo example to demonstrate the problem:
>>
>> https://github.com/fbielejec/keycloak-demo
>>
>> Please note that the bean isn't called anywhere it is *just* on the
>> classpath. I'm not sure if this is the desired behaviour.
>>
>> Best,
>> fbielejec
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From musti.kuru at gmail.com  Tue Nov 22 10:51:10 2016
From: musti.kuru at gmail.com (Mustafa Kuru)
Date: Tue, 22 Nov 2016 16:51:10 +0100
Subject: [keycloak-user] Create user with admin client - throws socket
	exception..
Message-ID: <CAKJa4+vCcu74fkjXtsNdiNc2T=4Ff1bT0zW76up3r2M4fvCqEg@mail.gmail.com>

Hi,

We are using admin client to create an keycloak user.
Socket exception occures sometimes on a test stage. Unfortunatelly i can
not reproduce it locally. The stage is clustered.

>From the keycloak logs i can not find much information about this problem.

This produces blocking sessions in keycloak database. We have to kill them
every time. Otherwise hanging every following call about 5 min. and then
throws exception.
It is very annoying.

Until we upgrade from the version 1.8.1 to 2.x.x we have to find a
temporary solution.
I need to know why the "create user" call causes blocking sessions in
database.

Exceptions looks like:

javax.ws.rs.ProcessingException: Unable to invoke request
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)

...

Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209)
at java.net.SocketInputStream.read(SocketInputStream.java:141)
at
org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:158)

thanks in advance.

Kind regards.

Mustafa Kuru

From bburke at redhat.com  Tue Nov 22 11:27:18 2016
From: bburke at redhat.com (Bill Burke)
Date: Tue, 22 Nov 2016 11:27:18 -0500
Subject: [keycloak-user] Create user with admin client - throws socket
 exception..
In-Reply-To: <CAKJa4+vCcu74fkjXtsNdiNc2T=4Ff1bT0zW76up3r2M4fvCqEg@mail.gmail.com>
References: <CAKJa4+vCcu74fkjXtsNdiNc2T=4Ff1bT0zW76up3r2M4fvCqEg@mail.gmail.com>
Message-ID: <0014d230-4a32-f65c-081d-3431aebb39ec@redhat.com>

Too much has changed from 1.8.1 for us to be able to track down what the 
exact problem is. Move to 1.9.8 which our product is based on, or the 
latest 2.x.


On 11/22/16 10:51 AM, Mustafa Kuru wrote:
> Hi,
>
> We are using admin client to create an keycloak user.
> Socket exception occures sometimes on a test stage. Unfortunatelly i can
> not reproduce it locally. The stage is clustered.
>
> >From the keycloak logs i can not find much information about this problem.
>
> This produces blocking sessions in keycloak database. We have to kill them
> every time. Otherwise hanging every following call about 5 min. and then
> throws exception.
> It is very annoying.
>
> Until we upgrade from the version 1.8.1 to 2.x.x we have to find a
> temporary solution.
> I need to know why the "create user" call causes blocking sessions in
> database.
>
> Exceptions looks like:
>
> javax.ws.rs.ProcessingException: Unable to invoke request
> at
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
> at
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
> at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
> at
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
>
> ...
>
> Caused by: java.net.SocketException: Connection reset
> at java.net.SocketInputStream.read(SocketInputStream.java:209)
> at java.net.SocketInputStream.read(SocketInputStream.java:141)
> at
> org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:158)
>
> thanks in advance.
>
> Kind regards.
>
> Mustafa Kuru
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From robin1233 at gmail.com  Tue Nov 22 13:45:25 2016
From: robin1233 at gmail.com (robinfernandes .)
Date: Tue, 22 Nov 2016 13:45:25 -0500
Subject: [keycloak-user] Out of memory error on Keycloak cluster
In-Reply-To: <CAJgngAcV=vqoQutBJymfDUFpRSiv61HTofXasCy0a=3kM=biEw@mail.gmail.com>
References: <CAFOTW4bcz+pr7jnwJvVd4Zbat9eZDLjzswqNGh=NKcCmwtyW3w@mail.gmail.com>
	<b8f881fe-5017-e3e1-b805-5d556af92988@redhat.com>
	<CAJgngAcV=vqoQutBJymfDUFpRSiv61HTofXasCy0a=3kM=biEw@mail.gmail.com>
Message-ID: <CAFOTW4baoYmBXx955kU+ac2BGc4YfU_rXs+Ea+mSCvtZyhNCmg@mail.gmail.com>

Hi Guys,

I added the eviction policy to the standalone-ha.xml and it looks like this
:

 *<subsystem xmlns="urn:jboss:domain:infinispan:4.0">*
*            <cache-container name="keycloak"
jndi-name="infinispan/Keycloak">*
*                <transport lock-timeout="60000"/>*
*                <invalidation-cache name="realms" mode="SYNC"/>*
*                <invalidation-cache name="users" mode="SYNC">*
*                    <eviction max-entries="10000" strategy="LRU"/>*
*                </invalidation-cache>*
*                <distributed-cache name="sessions" mode="SYNC"
owners="3"/>*
*                <distributed-cache name="offlineSessions" mode="SYNC"
owners="3"/>*
*                <distributed-cache name="loginFailures" mode="SYNC"
owners="1"/>*
*                <replicated-cache name="work" mode="SYNC"/>*
*                <local-cache name="realmVersions">*
*                    <transaction mode="BATCH" locking="PESSIMISTIC"/>*
*                <eviction max-entries="10000" strategy="LRU"/>*
*            </local-cache>*
*            </cache-container>*

I ran some tests to do concurrent logins by spawning multiple threads and
the Keycloak node still went down after there were around *~170K* active
sessions. Took the thread and heap dump as well if that is helpful. We have
the -Xms set to 512m and -Xmx set to 2048m.

Would you recommend a higher heap size as well?

Thanks,
Robin

On Wed, Oct 12, 2016 at 10:03 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Could be https://issues.jboss.org/browse/KEYCLOAK-3202 if so it's not
> fixed
> in 1.9.8. There's a work around though, you can set "<eviction
> max-entries="10000" strategy="LRU"/>" for the realmVersions cache. Also,
> make sure you have a sane max entries on the users cache.
>
> On 11 October 2016 at 15:33, Bill Burke <bburke at redhat.com> wrote:
>
> > I believe we fixed some cache leakage problems sometime between 1.9.1
> > and 1.9.8.  You'll have to search JIRA.  I strongly suggest you upgrade
> > to 1.9.8.  We did a huge amount of stability, performance, and bug fixes
> > between 1.9.1 and 1.9.8 to get Keycloak ready for product.  RH-SSO is
> > based on Keycloak 1.9.8.
> >
> >
> > On 10/10/16 11:21 AM, robinfernandes . wrote:
> > > Hi,
> > >
> > > We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3
> > > keycloak nodes behind it.
> > > For the first time in about 4-6 months we received errors that java
> heap
> > > space out of memory and the nodes just went down.
> > > We had around 100k users as well as 35k active connections at the time.
> > > We have around 512MB heap space assigned.
> > >
> > > I am not able to reproduce it after restarting the nodes.
> > >
> > > Is there any reason that this could happen?
> > >
> > >
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From robin1233 at gmail.com  Tue Nov 22 13:48:30 2016
From: robin1233 at gmail.com (robinfernandes .)
Date: Tue, 22 Nov 2016 13:48:30 -0500
Subject: [keycloak-user] Out of memory error on Keycloak cluster
In-Reply-To: <CAFOTW4baoYmBXx955kU+ac2BGc4YfU_rXs+Ea+mSCvtZyhNCmg@mail.gmail.com>
References: <CAFOTW4bcz+pr7jnwJvVd4Zbat9eZDLjzswqNGh=NKcCmwtyW3w@mail.gmail.com>
	<b8f881fe-5017-e3e1-b805-5d556af92988@redhat.com>
	<CAJgngAcV=vqoQutBJymfDUFpRSiv61HTofXasCy0a=3kM=biEw@mail.gmail.com>
	<CAFOTW4baoYmBXx955kU+ac2BGc4YfU_rXs+Ea+mSCvtZyhNCmg@mail.gmail.com>
Message-ID: <CAFOTW4aoteSqMqzzqDKv69bD+Nndnui7A6yR24MWHevua7PB2g@mail.gmail.com>

Sorry here are the error logs :

*19:28:18,508 ERROR [stderr] (Incoming-1,ee,a1-dev-ksa049c) Exception in
thread "INT-6,ee,a1-dev-ksa049c" java.lang.OutOfMemoryError: GC overhead
limit exceeded*

*19:28:23,544 ERROR [stderr] (Incoming-1,ee,a1-dev-ksa049c)
ava.lang.OutOfMemoryError: GC overhead limit exceededdev-ksa049c"
7.196:7600],ee,a1-dev-ksa049c" lang.OutOfMemoryError: GC overhead limit
exceededException in thread "Incoming-1,ee,a1-dev-ksa049c"
java.lang.OutOfMemoryError: GC overhead limit exceeded*

*19:28:28,099 ERROR [org.jgroups.protocols.UNICAST3]
(OOB-50,ee,a1-dev-ksa049c) JGRP000039: a1-dev-ksa049c: failed to deliver
OOB message [dst: a1-dev-ksa049c, src: a1-dev-ksa049b (4 headers),
size=8602 bytes, flags=OOB|DONT_BUNDLE|NO_TOTAL_ORDER]:
java.lang.OutOfMemoryError: GC overhead limit exceeded*

*19:28:33,187 ERROR [org.jgroups.protocols.UNICAST3]
(OOB-58,ee,a1-dev-ksa049c) JGRP000039: a1-dev-ksa049c: failed to deliver
OOB message [dst: a1-dev-ksa049c, src: a1-dev-ksa049b (4 headers), size=7
bytes, flags=OOB|DONT_BUNDLE|NO_TOTAL_ORDER]: java.lang.OutOfMemoryError:
GC overhead limit exceeded*

*19:28:01,882 WARN  [org.jgroups.protocols.pbcast.NAKACK2]
(INT-8,ee,a1-dev-ksa049c) JGRP000041: a1-dev-ksa049c: message
a1-dev-ksa049c::50545 not found in retransmission table*



*Exception: java.lang.OutOfMemoryError thrown from the
UncaughtExceptionHandler in thread "pool-8-thread-1"*

*19:29:06,194 ERROR [org.jgroups.util.TimeScheduler3] (Timer
runner-1,ee,a1-dev-ksa049c) failed submitting task to thread pool:
java.lang.OutOfMemoryError: GC overhead limit exceeded*



*19:29:11,650 ERROR [org.jgroups.util.TimeScheduler3]
(Timer-7,ee,a1-dev-ksa049c) failed executing task NAKACK2: RetransmitTask
(interval=1000 ms): java.lang.OutOfMemoryError: GC overhead limit exceeded*



*19:29:04,656 ERROR [org.jgroups.protocols.UNICAST3]
(OOB-47,ee,a1-dev-ksa049c) JGRP000039: a1-dev-ksa049c: failed to deliver
OOB message [dst: a1-dev-ksa049c, src: a1-dev-ksa049a (4 headers),
size=8503 bytes, flags=OOB|DONT_BUNDLE|NO_TOTAL_ORDER]:
java.lang.OutOfMemoryError: GC overhead limit exceeded*

*19:29:17,055 ERROR [stderr] (INT-7,ee,a1-dev-ksa049c) Exception in thread
"pool-8-thread-1" Exception in thread "INT-7,ee,a1-dev-ksa049c"
java.lang.OutOfMemoryError: GC overhead limit exceeded*

*19:29:19,497 ERROR [org.jgroups.protocols.TCP]
(TransferQueueBundler,ee,a1-dev-ksa049c) JGRP000034: a1-dev-ksa049c:
failure sending message to a1-dev-ksa049b: java.lang.NullPointerException*

*19:29:27,964 ERROR [org.jgroups.util.TimeScheduler3]
(Timer-7,ee,a1-dev-ksa049c) failed executing task UNICAST3: RetransmitTask
(interval=500 ms): java.lang.OutOfMemoryError: GC overhead limit exceeded*



*19:29:40,151 ERROR [org.jgroups.util.TimeScheduler3]
(Timer-7,ee,a1-dev-ksa049c) failed executing task FD: Monitor
(timeout=3000ms): java.lang.OutOfMemoryError: GC overhead limit exceeded*

On Tue, Nov 22, 2016 at 1:45 PM, robinfernandes . <robin1233 at gmail.com>
wrote:

> Hi Guys,
>
> I added the eviction policy to the standalone-ha.xml and it looks like
> this :
>
>  *<subsystem xmlns="urn:jboss:domain:infinispan:4.0">*
> *            <cache-container name="keycloak"
> jndi-name="infinispan/Keycloak">*
> *                <transport lock-timeout="60000"/>*
> *                <invalidation-cache name="realms" mode="SYNC"/>*
> *                <invalidation-cache name="users" mode="SYNC">*
> *                    <eviction max-entries="10000" strategy="LRU"/>*
> *                </invalidation-cache>*
> *                <distributed-cache name="sessions" mode="SYNC"
> owners="3"/>*
> *                <distributed-cache name="offlineSessions" mode="SYNC"
> owners="3"/>*
> *                <distributed-cache name="loginFailures" mode="SYNC"
> owners="1"/>*
> *                <replicated-cache name="work" mode="SYNC"/>*
> *                <local-cache name="realmVersions">*
> *                    <transaction mode="BATCH" locking="PESSIMISTIC"/>*
> *                <eviction max-entries="10000" strategy="LRU"/>*
> *            </local-cache>*
> *            </cache-container>*
>
> I ran some tests to do concurrent logins by spawning multiple threads and
> the Keycloak node still went down after there were around *~170K* active
> sessions. Took the thread and heap dump as well if that is helpful. We have
> the -Xms set to 512m and -Xmx set to 2048m.
>
> Would you recommend a higher heap size as well?
>
> Thanks,
> Robin
>
> On Wed, Oct 12, 2016 at 10:03 AM, Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Could be https://issues.jboss.org/browse/KEYCLOAK-3202 if so it's not
>> fixed
>> in 1.9.8. There's a work around though, you can set "<eviction
>> max-entries="10000" strategy="LRU"/>" for the realmVersions cache. Also,
>> make sure you have a sane max entries on the users cache.
>>
>> On 11 October 2016 at 15:33, Bill Burke <bburke at redhat.com> wrote:
>>
>> > I believe we fixed some cache leakage problems sometime between 1.9.1
>> > and 1.9.8.  You'll have to search JIRA.  I strongly suggest you upgrade
>> > to 1.9.8.  We did a huge amount of stability, performance, and bug fixes
>> > between 1.9.1 and 1.9.8 to get Keycloak ready for product.  RH-SSO is
>> > based on Keycloak 1.9.8.
>> >
>> >
>> > On 10/10/16 11:21 AM, robinfernandes . wrote:
>> > > Hi,
>> > >
>> > > We are using Keycloak 1.9.2.Final and have a cluster with an hap and 3
>> > > keycloak nodes behind it.
>> > > For the first time in about 4-6 months we received errors that java
>> heap
>> > > space out of memory and the nodes just went down.
>> > > We had around 100k users as well as 35k active connections at the
>> time.
>> > > We have around 512MB heap space assigned.
>> > >
>> > > I am not able to reproduce it after restarting the nodes.
>> > >
>> > > Is there any reason that this could happen?
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > > keycloak-user at lists.jboss.org
>> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From pygator at linux.com  Tue Nov 22 21:14:53 2016
From: pygator at linux.com (Ricardo Chu)
Date: Tue, 22 Nov 2016 21:14:53 -0500
Subject: [keycloak-user] Keycloak with EZproxy
In-Reply-To: <CAJgngAfNym_6ni0dETmkJPtfwCR7GRuh-1W6nZ-oRmnRBiKQVw@mail.gmail.com>
References: <DM5PR08MB2428E4C9797AB3D908A6C2A9B8E20@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAdhkxKf_wfCE2ToBBx9vXts9Vg_XzToX3SkwZTtohdDJw@mail.gmail.com>
	<DM5PR08MB2428FF5C2B55A7D83A4B431CB8C80@DM5PR08MB2428.namprd08.prod.outlook.com>
	<CAJgngAcjWJiyPSftd+npttdUiKNqxWsYpWh8_kypnAY7iNhwNQ@mail.gmail.com>
	<CAN_wU+Ysrf+2MxJCKxsxU1t1uS6Ex4rgsZeQ1=_KydwKCsCZow@mail.gmail.com>
	<CAJgngAe6ZcgeVksRJEFuooaPojV4P=dLedCfprK2y4tShP9pjw@mail.gmail.com>
	<CAN_wU+aNyXittA=bie=+zJj-F4EHY43Y42XcoEd_GKBVBEJnHA@mail.gmail.com>
	<CAJgngAfNym_6ni0dETmkJPtfwCR7GRuh-1W6nZ-oRmnRBiKQVw@mail.gmail.com>
Message-ID: <CAN_wU+bYkC9nAZqtOBgJzGueLexvMhK8O9WuwmnRrjciwYNv6g@mail.gmail.com>

Stian,
I created a JIRA for this problem:
https://issues.jboss.org/browse/KEYCLOAK-3950

We will try your other suggestions too.

Rick

On Thu, Nov 10, 2016 at 6:37 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> Looks like a bug on our end. If request includes NameIDPolicy, but format
> is missing it'll throw a NPE:
>
> https://github.com/keycloak/keycloak/blob/2.2.0.Final/
> services/src/main/java/org/keycloak/protocol/saml/SamlService.java#L262
>
> Format is optional so we should handle this. You can create a JIRA for it
> and we'll fix. In the mean time if you can get it to include a format or
> don't include the NameIDPolicy it may work.
>
> On 8 November 2016 at 14:38, Ricardo Chu <pygator at linux.com> wrote:
>
>> Stian,
>> We set the "Client Signature Required" to off. See print screen here:
>> https://drive.google.com/open?id=0B7GnoaXLMbnOS1l4dkNmQjFPSUk
>>
>> I restarted keycloak and attempted to login via ezproxy.  It looks like
>> we get a little further down the login process but now get a NPE.
>>
>> You can see the log excerpt here: https://bitbucket.org/sn
>> ippets/rachu/ddRze
>>
>> Rick
>>
>> On Mon, Nov 7, 2016 at 1:15 AM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> First guess is that EZProxy is not signing the login assertion and the
>>> client is configured in KC admin console to require signatures. Try turning
>>> "Client Signature Required" off for the client in the Keycloak admin
>>> console.
>>>
>>> On 5 November 2016 at 14:36, Ricardo Chu <pygator at linux.com> wrote:
>>>
>>>> Here is the trace output of this problem:
>>>> https://bitbucket.org/snippets/rachu/ddRze/keycloak-ezproxy-problem
>>>>
>>>> This log includes the startup of keycloak and the login attempt.  The
>>>> login fails and the message "invalid requester" is displayed in the
>>>> browser..
>>>>
>>>> The trace shows the "Invalid signature on document" message.
>>>> Line 5211 says "Cannot find Signature element".
>>>>
>>>> Any idea what may cause this?
>>>>
>>>> Rick
>>>>
>>>> On Fri, Sep 30, 2016 at 3:25 AM, Stian Thorgersen <sthorger at redhat.com>
>>>> wrote:
>>>>
>>>>> "XML External Entity switches are not supported.  You may get XML
>>>>> injection
>>>>> vulnerabilities." is just a warning and shouldn't have anything to do
>>>>> with
>>>>> the issue.
>>>>>
>>>>> Try enabling trace logging for org.keycloak and see if you get any more
>>>>> details.
>>>>>
>>>>> On 23 September 2016 at 14:52, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>>>
>>>>> > Thanks.
>>>>> >
>>>>> >
>>>>> >
>>>>> > When we attempt to authenticate using keycloak 2.2.0_final, we get
>>>>> the
>>>>> > following log entries on the Keycloak server:
>>>>> >
>>>>> >
>>>>> >
>>>>> > 2016-09-23 08:44:09,842 WARN  [org.keycloak.saml.common] (default
>>>>> task-1)
>>>>> > XML External Entity switches are not supported.  You may get XML
>>>>> injection
>>>>> > vulnerabilities.
>>>>> >
>>>>> > 2016-09-23 08:44:09,948 ERROR [org.keycloak.protocol.saml.Sa
>>>>> mlService]
>>>>> > (default task-1) request validation failed:
>>>>> org.keycloak.common.VerificationException:
>>>>> > Invalid signature on document
>>>>> >
>>>>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>>> > verifyDocumentSignature(SamlProtocolUtils.java:57)
>>>>> >
>>>>> >                 at org.keycloak.protocol.saml.SamlProtocolUtils.
>>>>> > verifyDocumentSignature(SamlProtocolUtils.java:50)
>>>>> >
>>>>> >                 at org.keycloak.protocol.saml.SamlService$
>>>>> > PostBindingProtocol.verifySignature(SamlService.java:405)
>>>>> >
>>>>> >                 at org.keycloak.protocol.saml.Sam
>>>>> lService$BindingProtocol.
>>>>> > handleSamlRequest(SamlService.java:186)
>>>>> >
>>>>> >                 at org.keycloak.protocol.saml.SamlService$
>>>>> > PostBindingProtocol.execute(SamlService.java:428)
>>>>> >
>>>>> >                 at org.keycloak.protocol.saml.Sam
>>>>> lService.postBinding(
>>>>> > SamlService.java:504)
>>>>> >
>>>>> >                 at sun.reflect.NativeMethodAccess
>>>>> orImpl.invoke0(Native
>>>>> > Method)
>>>>> >
>>>>> >                 at sun.reflect.NativeMethodAccessorImpl.invoke(
>>>>> > NativeMethodAccessorImpl.java:62)
>>>>> >
>>>>> >                 at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>>>>> > DelegatingMethodAccessorImpl.java:43)
>>>>> >
>>>>> >                 at java.lang.reflect.Method.invoke(Method.java:498)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.Method
>>>>> InjectorImpl.invoke(
>>>>> > MethodInjectorImpl.java:139)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.ResourceMethodInvoker.
>>>>> > invokeOnTarget(ResourceMethodInvoker.java:295)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.Resour
>>>>> ceMethodInvoker.invoke(
>>>>> > ResourceMethodInvoker.java:249)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.ResourceLocatorInvoker.
>>>>> > invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.Resour
>>>>> ceLocatorInvoker.invoke(
>>>>> > ResourceLocatorInvoker.java:101)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.Synchr
>>>>> onousDispatcher.invoke(
>>>>> > SynchronousDispatcher.java:395)
>>>>> >
>>>>> >                 at org.jboss.resteasy.core.Synchr
>>>>> onousDispatcher.invoke(
>>>>> > SynchronousDispatcher.java:202)
>>>>> >
>>>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>>>> > ServletContainerDispatcher.service(ServletContainerDispatche
>>>>> r.java:221)
>>>>> >
>>>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>>>> >
>>>>> >                 at org.jboss.resteasy.plugins.server.servlet.
>>>>> > HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>>>> >
>>>>> >                 at javax.servlet.http.HttpServlet.service(
>>>>> > HttpServlet.java:790)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.
>>>>> > ServletHandler.handleRequest(ServletHandler.java:85)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.
>>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>>>> >
>>>>> >                 at org.keycloak.services.filters.
>>>>> > KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.
>>>>> > java:90)
>>>>> >
>>>>> >                 at io.undertow.servlet.core.ManagedFilter.doFilter(
>>>>> > ManagedFilter.java:60)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.
>>>>> > FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.
>>>>> > FilterHandler.handleRequest(FilterHandler.java:84)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.security.
>>>>> > ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.
>>>>> > java:62)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.S
>>>>> ervletDispatchingHandler.
>>>>> > handleRequest(ServletDispatchingHandler.java:36)
>>>>> >
>>>>> >                 at org.wildfly.extension.undertow.security.
>>>>> > SecurityContextAssociationHandler.handleRequest(
>>>>> > SecurityContextAssociationHandler.java:78)
>>>>> >
>>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.security.
>>>>> > SSLInformationAssociationHandler.handleRequest(
>>>>> > SSLInformationAssociationHandler.java:131)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.security.
>>>>> > ServletAuthenticationCallHandler.handleRequest(
>>>>> > ServletAuthenticationCallHandler.java:57)
>>>>> >
>>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> >                 at io.undertow.security.handlers.
>>>>> > AbstractConfidentialityHandler.handleRequest(
>>>>> > AbstractConfidentialityHandler.java:46)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.security.
>>>>> > ServletConfidentialityConstraintHandler.handleRequest(
>>>>> > ServletConfidentialityConstraintHandler.java:64)
>>>>> >
>>>>> >                 at io.undertow.security.handlers.
>>>>> > AuthenticationMechanismsHandler.handleRequest(
>>>>> > AuthenticationMechanismsHandler.java:60)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.security.
>>>>> > CachedAuthenticatedSessionHandler.handleRequest(
>>>>> > CachedAuthenticatedSessionHandler.java:77)
>>>>> >
>>>>> >                 at io.undertow.security.handlers.
>>>>> > NotificationReceiverHandler.handleRequest(NotificationReceiv
>>>>> erHandler.
>>>>> > java:50)
>>>>> >
>>>>> >                 at io.undertow.security.handlers.
>>>>> > AbstractSecurityContextAssociationHandler.handleRequest(
>>>>> > AbstractSecurityContextAssociationHandler.java:43)
>>>>> >
>>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> >                 at org.wildfly.extension.undertow.security.jacc.
>>>>> > JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>>>> >
>>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> >                 at io.undertow.server.handlers.PredicateHandler.
>>>>> > handleRequest(PredicateHandler.java:43)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.
>>>>> > handleFirstRequest(ServletInitialHandler.java:284)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler.
>>>>> > dispatchRequest(ServletInitialHandler.java:263)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.
>>>>> > ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>>>> >
>>>>> >                 at io.undertow.servlet.handlers.S
>>>>> ervletInitialHandler$1.
>>>>> > handleRequest(ServletInitialHandler.java:174)
>>>>> >
>>>>> >                 at io.undertow.server.Connectors.
>>>>> > executeRootHandler(Connectors.java:202)
>>>>> >
>>>>> >                 at io.undertow.server.HttpServerExchange$1.run(
>>>>> > HttpServerExchange.java:793)
>>>>> >
>>>>> >                 at java.util.concurrent.ThreadPoo
>>>>> lExecutor.runWorker(
>>>>> > ThreadPoolExecutor.java:1142)
>>>>> >
>>>>> >                 at java.util.concurrent.ThreadPoo
>>>>> lExecutor$Worker.run(
>>>>> > ThreadPoolExecutor.java:617)
>>>>> >
>>>>> >                 at java.lang.Thread.run(Thread.java:745)
>>>>> >
>>>>> >
>>>>> >
>>>>> > 2016-09-23 08:44:10,075 WARN  [org.keycloak.events] (default task-1)
>>>>> > type=LOGIN_ERROR, realmId=FLVC, clientId=null, userId=null,
>>>>> > ipAddress=192.168.33.51, error=invalid_signature
>>>>> >
>>>>> >
>>>>> >
>>>>> > I have verified that the keys on the client match the server.  Does
>>>>> the
>>>>> > XML External Entities have something to do with this?
>>>>> >
>>>>> >
>>>>> >
>>>>> > Any help is appreciated.
>>>>> >
>>>>> >
>>>>> >
>>>>> > Thanks,
>>>>> >
>>>>> > Bill
>>>>> >
>>>>> >
>>>>> >
>>>>> > *From:* Stian Thorgersen [mailto:sthorger at redhat.com]
>>>>> > *Sent:* Thursday, September 08, 2016 2:31 AM
>>>>> > *To:* Bill Kuntz
>>>>> > *Cc:* keycloak-user at lists.jboss.org
>>>>> > *Subject:* Re: [keycloak-user] Keycloak with EZproxy
>>>>> >
>>>>> >
>>>>> >
>>>>> > Not sure what they mean about "authentication sequence identical to a
>>>>> > standard Shibboleth Identity Provider", but Keycloak is pretty
>>>>> configurable
>>>>> > so it should be possible to adapt the SAML configuration for the
>>>>> client to
>>>>> > make it work with EZProxy.
>>>>> >
>>>>> >
>>>>> >
>>>>> > On 1 September 2016 at 17:47, Bill Kuntz <WKuntz at flvc.org> wrote:
>>>>> >
>>>>> > Has anyone successfully used Keycloak with OCLC's EZProxy?  We have
>>>>> been
>>>>> > experimenting with Keycloak, and have been able to get it working
>>>>> with
>>>>> > other SPs, but not EZProxy.
>>>>> >
>>>>> > OCLC says " EZproxy supports connecting to non-Shibboleth SAML2 SSO
>>>>> > systems if and only if that system uses an authentication sequence
>>>>> > identical to a standard Shibboleth Identity Provider (IDP)."
>>>>> >
>>>>> > Thanks,
>>>>> > Bill
>>>>> >
>>>>> >
>>>>> > _______________________________________________
>>>>> > keycloak-user mailing list
>>>>> > keycloak-user at lists.jboss.org
>>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>> >
>>>>> >
>>>>> >
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From mposolda at redhat.com  Wed Nov 23 03:24:05 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 23 Nov 2016 09:24:05 +0100
Subject: [keycloak-user] looking for samples and howto's
In-Reply-To: <76e51f7e-35a1-6de4-bef7-f392b8342a7d@merit.unu.edu>
References: <39c9d197-6f88-e2cb-eaa6-f65eb7d77717@merit.unu.edu>
	<b6677148-0daf-5cfb-edc0-4ec19058b9c0@redhat.com>
	<76e51f7e-35a1-6de4-bef7-f392b8342a7d@merit.unu.edu>
Message-ID: <6be73303-9e48-d098-524a-00bbe822bce2@redhat.com>

On 22/11/16 12:56, lists wrote:
> Hi Marek,
>
> On 22-11-2016 8:46, Marek Posolda wrote:
>> Hi,
>>
>> did you try our keycloak-examples distribution? You can download it from
>> the keycloak homepage. Then you can try the existing examples. Probably
>> those in directories:
>> - saml
>> - broker/saml-broker-authentication
>>
>> will be most interesting for you.
>
> * I downloaded the keycloak-examples (2.4.0.CR1) distr on another 
> machine, and started the server:
> keycloak-demo-2.4.0.CR1/keycloak/bin/standalone.sh
>
> * added admin user and were able to login Wildfly at localhost:9990
Note that admin user from Wildfly is something different than admin user 
from Keycloak. See docs for details 
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/initialization.html
>
> In WildFly I see a deployed keycloak-server.war and that's about it. 
> Is this the no-config required demo distribution?
>
> I'm not sure how to continue..? I can see the directories saml and 
> broker/saml-broker-authentication in ./examples, but what to do with 
> them?
There should be README.md file in each of these directories with further 
instructions.

Marek
>
> Apologies for the basic questions....
>
> MJ



From lists at merit.unu.edu  Wed Nov 23 05:44:27 2016
From: lists at merit.unu.edu (mj)
Date: Wed, 23 Nov 2016 11:44:27 +0100
Subject: [keycloak-user] looking for samples and howto's
In-Reply-To: <6be73303-9e48-d098-524a-00bbe822bce2@redhat.com>
References: <39c9d197-6f88-e2cb-eaa6-f65eb7d77717@merit.unu.edu>
	<b6677148-0daf-5cfb-edc0-4ec19058b9c0@redhat.com>
	<76e51f7e-35a1-6de4-bef7-f392b8342a7d@merit.unu.edu>
	<6be73303-9e48-d098-524a-00bbe822bce2@redhat.com>
Message-ID: <b6394030-48fd-3896-c4b6-a56213934cbf@merit.unu.edu>

Hi Marek,

> Note that admin user from Wildfly is something different than admin user
> from Keycloak. See docs for details
> https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.4/topics/initialization.html
Yes, found that out.

> There should be README.md file in each of these directories with further
> instructions.
Found it. Unsure where/how to run 'mvn clean install wildfly:deploy' but 
I did manage to take a look at configured clients, and learned a lot 
from that. With that knowledge, I managed to make two external clients 
work. :-)

I am planning to make a short tutorial on this basic stuff, as this 
excercise took a lot of time... :-)

All the examples / documents that keycloak provides are very 
java-centred, jboss, wildfly, etc, etc. If all of that is new to you (as 
it is to me) then getting some basic functionality up and running is 
really quite a task.
(specially if you're also new to saml, as I am also)

I am planning to make a short howto on keycloak as an IdP with 
simplesamlphp as a SP. And perhaps also keycloak IdP with a wordpress 
saml extension.

Again, i found keycloak very difficult to get started with, for a person 
not fluent in the java / jboss / wildfly ecosystem.

But: Thanks a lot for your patience and kind help, Marek!

MJ

From j_larsson85 at hotmail.com  Wed Nov 23 07:27:02 2016
From: j_larsson85 at hotmail.com (johannes Larsson)
Date: Wed, 23 Nov 2016 12:27:02 +0000
Subject: [keycloak-user] Extending admin interface
Message-ID: <AM4PR0202MB27714C659859686D9CA4366289B70@AM4PR0202MB2771.eurprd02.prod.outlook.com>

Hi,


It would be great to extend the admin interface with some more list options. For example, for me it would be awesome to see all fields for the users in the manage users section and also sort the list by the different columns. For now it is difficult to get an overview over how many users that has accepted the terms, verified the email, when they signed up etcetera.


Is this possible to solve or is the idea to use the api to make this type of analysis?



Thanks and kind regards,

Johannes



From bruno at abstractj.org  Wed Nov 23 07:45:40 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 23 Nov 2016 10:45:40 -0200
Subject: [keycloak-user] Extending admin interface
In-Reply-To: <AM4PR0202MB27714C659859686D9CA4366289B70@AM4PR0202MB2771.eurprd02.prod.outlook.com>
References: <AM4PR0202MB27714C659859686D9CA4366289B70@AM4PR0202MB2771.eurprd02.prod.outlook.com>
Message-ID: <20161123124540.GA9599@abstractj.org>

Hi, I would try to take a look at the docs here: https://keycloak.gitbooks.io/server-developer-guide/content/v/2.3/topics/extensions.html

On 2016-11-23, johannes Larsson wrote:
> Hi,
>
>
> It would be great to extend the admin interface with some more list options. For example, for me it would be awesome to see all fields for the users in the manage users section and also sort the list by the different columns. For now it is difficult to get an overview over how many users that has accepted the terms, verified the email, when they signed up etcetera.
>
>
> Is this possible to solve or is the idea to use the api to make this type of analysis?
>
>
>
> Thanks and kind regards,
>
> Johannes
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
PGP: 0x84DC9914

From niko at n-k.de  Wed Nov 23 08:00:54 2016
From: niko at n-k.de (=?utf-8?Q?Niko_K=C3=B6bler?=)
Date: Wed, 23 Nov 2016 14:00:54 +0100
Subject: [keycloak-user] Package "keycloak-server-spi-private" in KC 2.4.x
Message-ID: <5A670201-4EB3-45A3-9DDE-4DB4DA269EA0@n-k.de>

Hi Team,

with KC 2.4.0.CR1 you introduced a new package "keycloak-server-spi-private? and moved some classes to this package from the ?keycloak-server-spi?, especially the KeycloakModelUtils class, which I used so far in an SPI.

Is it intended to use and depend on the ?private? package in own SPIs/implementations or is it just for Keycloak private usage?

Thanks,
- Niko



From ben.quirk at edlogics.com  Wed Nov 23 11:21:25 2016
From: ben.quirk at edlogics.com (Ben Quirk)
Date: Wed, 23 Nov 2016 11:21:25 -0500
Subject: [keycloak-user] Is there a way to include a link within an error
	message?
Message-ID: <553a601d245a5$a60c73c0$f2255b40$@edlogics.com>

My scenario: A user requests a password reset but their link expires. When
they click the link, they're shown an error message that comes from the
message property: "invalidCodeMessage".

 

Is it possible to include a new password reset link here so they can easily
request a new one? 

 

I figured could do this in the template, however it looks like error.tpl is
used for all errors and the message is being rendered with
"${message.summary}" so I can't easily pass a message parameter through via
the template.

 

Thanks in advance,

 

Ben


From nafiux at gmail.com  Wed Nov 23 11:40:40 2016
From: nafiux at gmail.com (Ignacio Ocampo)
Date: Wed, 23 Nov 2016 08:40:40 -0800
Subject: [keycloak-user] Policy by Client (microservices)
Message-ID: <CAAGqNknWuTHkDrw13_5X4OVLtYtpeP-B_SG8KQ4Mk2uhaQZJ8A@mail.gmail.com>

Hello Team,

I'm new in Keycloak authorization, I've read all the documentation already.

I would like to know if there is a kind of *Policy that can match Client
name* (maybe thru Rule based JavaScript).

I'm creating an API Gateway and I want to validate who is trying to reach
who other (restrict by ClientId).

Thanks a lot.

Regards.

-- 
Ignacio Ocampo Mill?n

From sthorger at redhat.com  Wed Nov 23 13:42:55 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 23 Nov 2016 19:42:55 +0100
Subject: [keycloak-user] Package "keycloak-server-spi-private" in KC
	2.4.x
In-Reply-To: <5A670201-4EB3-45A3-9DDE-4DB4DA269EA0@n-k.de>
References: <5A670201-4EB3-45A3-9DDE-4DB4DA269EA0@n-k.de>
Message-ID: <CAJgngAc-V9=+ezWfSM0nYJMU53wxKNbxLfFKcL49+w0zMfYysA@mail.gmail.com>

You can use things in private as well. Just be aware they are not supported
in supported version (Red Hat Single Sign-On) and can be changed in the
future.

On 23 Nov 2016 14:03, "Niko K?bler" <niko at n-k.de> wrote:

> Hi Team,
>
> with KC 2.4.0.CR1 you introduced a new package
> "keycloak-server-spi-private? and moved some classes to this package from
> the ?keycloak-server-spi?, especially the KeycloakModelUtils class, which I
> used so far in an SPI.
>
> Is it intended to use and depend on the ?private? package in own
> SPIs/implementations or is it just for Keycloak private usage?
>
> Thanks,
> - Niko
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From bruno at abstractj.org  Wed Nov 23 14:53:36 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 23 Nov 2016 17:53:36 -0200
Subject: [keycloak-user] Policy by Client (microservices)
In-Reply-To: <CAAGqNknWuTHkDrw13_5X4OVLtYtpeP-B_SG8KQ4Mk2uhaQZJ8A@mail.gmail.com>
References: <CAAGqNknWuTHkDrw13_5X4OVLtYtpeP-B_SG8KQ4Mk2uhaQZJ8A@mail.gmail.com>
Message-ID: <20161123195336.GC28404@abstractj.org>

Does it help ->
https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.3/topics/policy/evaluation-api.html ?

On 2016-11-23, Ignacio Ocampo wrote:
> Hello Team,
>
> I'm new in Keycloak authorization, I've read all the documentation already.
>
> I would like to know if there is a kind of *Policy that can match Client
> name* (maybe thru Rule based JavaScript).
>
> I'm creating an API Gateway and I want to validate who is trying to reach
> who other (restrict by ClientId).
>
> Thanks a lot.
>
> Regards.
>
> --
> Ignacio Ocampo Mill?n
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
PGP: 0x84DC9914

From bruno at abstractj.org  Wed Nov 23 15:00:55 2016
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 23 Nov 2016 18:00:55 -0200
Subject: [keycloak-user] Is there a way to include a link within an
 error message?
In-Reply-To: <553a601d245a5$a60c73c0$f2255b40$@edlogics.com>
References: <553a601d245a5$a60c73c0$f2255b40$@edlogics.com>
Message-ID: <20161123200055.GD28404@abstractj.org>

I don't follow you on this. Why your user can't
request a password reset[1] again after the link expires? That's the
standard flow for most of applications.

I believe that is possible to implement a custom authentication
flow, but at first glance such requirement sounds odd to me.

[1] - https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.1/topics/login-settings/forgot-password.html

On 2016-11-23, Ben Quirk wrote:
> My scenario: A user requests a password reset but their link expires. When
> they click the link, they're shown an error message that comes from the
> message property: "invalidCodeMessage".
>
>
>
> Is it possible to include a new password reset link here so they can easily
> request a new one?
>
>
>
> I figured could do this in the template, however it looks like error.tpl is
> used for all errors and the message is being rendered with
> "${message.summary}" so I can't easily pass a message parameter through via
> the template.
>
>
>
> Thanks in advance,
>
>
>
> Ben
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

--

abstractj
PGP: 0x84DC9914

From nafiux at gmail.com  Thu Nov 24 01:31:26 2016
From: nafiux at gmail.com (Ignacio Ocampo)
Date: Wed, 23 Nov 2016 22:31:26 -0800
Subject: [keycloak-user] Policy by Client (microservices)
In-Reply-To: <20161123195336.GC28404@abstractj.org>
References: <CAAGqNknWuTHkDrw13_5X4OVLtYtpeP-B_SG8KQ4Mk2uhaQZJ8A@mail.gmail.com>
	<20161123195336.GC28404@abstractj.org>
Message-ID: <CAAGqNkncoisghi_EPFDBhsADuuv4MPPHtejY8MEU7cYVWXnCQg@mail.gmail.com>

Hello Bruno,

Thanks for your help! It seems that kc.client.id can do the work, I will
try with this approach. Thanks.

Regards.

On Wed, Nov 23, 2016 at 11:53 AM, Bruno Oliveira <bruno at abstractj.org>
wrote:

> Does it help ->
> https://keycloak.gitbooks.io/authorization-services-guide/
> content/v/2.3/topics/policy/evaluation-api.html ?
>
> On 2016-11-23, Ignacio Ocampo wrote:
> > Hello Team,
> >
> > I'm new in Keycloak authorization, I've read all the documentation
> already.
> >
> > I would like to know if there is a kind of *Policy that can match Client
> > name* (maybe thru Rule based JavaScript).
> >
> > I'm creating an API Gateway and I want to validate who is trying to reach
> > who other (restrict by ClientId).
> >
> > Thanks a lot.
> >
> > Regards.
> >
> > --
> > Ignacio Ocampo Mill?n
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
> PGP: 0x84DC9914
>



-- 
Ignacio Ocampo Mill?n

From sthorger at redhat.com  Thu Nov 24 05:00:28 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 24 Nov 2016 11:00:28 +0100
Subject: [keycloak-user] Keycloak 2.4.0.Final Released
Message-ID: <CAJgngAeG3so9iHnH9P7Bupq55Ejz=dxdYSV1Et3MWNSF=9vMUA@mail.gmail.com>

Keycloak 2.4.0.Final has just been released.

There are no changes since 2.4.0.CR1. To download the release go to
the Keycloak
homepage <http://www.keycloak.org/downloads>. Before you upgrade refer to
the migration guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/MigrationFromOlderVersions.html>

From jayapriya.atheesan at gmail.com  Thu Nov 24 05:24:39 2016
From: jayapriya.atheesan at gmail.com (JAYAPRIYA ATHEESAN)
Date: Thu, 24 Nov 2016 15:54:39 +0530
Subject: [keycloak-user] Keycloak user registration
Message-ID: <5836bfea.c241620a.c2fa9.c175@mx.google.com>

Hi Team,

 

If I don't verify the email id which I signed up with keycloak and if the
email verification link is expired, how to proceed about it.

If I try to signup using the same email Id, I get an error saying mail id
already exists.

Do we have any solution for this issue?

 

Thanks,

Jayapriya Atheesan

 



---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus

From tikovsky.tomas at gmail.com  Thu Nov 24 07:32:54 2016
From: tikovsky.tomas at gmail.com (Tomas Tikovsky)
Date: Thu, 24 Nov 2016 13:32:54 +0100
Subject: [keycloak-user] Suggestions and fix for e-directory user federation
	provider
Message-ID: <CAJWapELmDBY6-SxPQXWyYk8mF_1DVhTnvGsC3Xft5uPCDCEm2A@mail.gmail.com>

Hello everyone,

im using e-directory federation ldap provider and came to this bug
KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
experiencing the same problem.
e-Directory sends guid attribute as byte[] so it needs to be declared as
binary the same way as its done for activeDirectory.
Sending simple diff to fix this issue if you consider this as helpfull.

Novell was acquired by microfocus and their product has been renamed to
netIQ eDirectory so i incorporated that change as well.

Another thing i noted were 2 incorrect attribute mappings in administration
console.

"username" -> "uid"
correct as long as users are enabled for linux (not default) otherwise cn.
So cn should work for more cases than uid.

"firstname" -> "cn"
wrong, should be "givenname"

Cheers

Tom

From keycloaklist at ulise.de  Thu Nov 24 09:41:36 2016
From: keycloaklist at ulise.de (Uli SE)
Date: Thu, 24 Nov 2016 15:41:36 +0100
Subject: [keycloak-user] NTLM Authentication with keycloak mail
Message-ID: <51bb0ef3-c5fc-5a6c-34d7-0ac9a647a7f6@ulise.de>

Hi,

is there a way to connect the keycloak mail feature (smtp) to an 
exchange server using ntlm autentication?

Many thanks,

Uli



From java at neposoft.com  Thu Nov 24 10:06:49 2016
From: java at neposoft.com (java_os)
Date: Thu, 24 Nov 2016 10:06:49 -0500
Subject: [keycloak-user] keycloak logout.js on brokering idp mode
Message-ID: <809d4e91eef1b1fc5452275cda347c23.squirrel@neposoft.com>

Anyone here be able to say what really happens behind the scenes when
using keycloak.js LOGOUT?
Need to know how it relates to the following 2 configs:
 - Single Logout Service URL
 - Backchannel Logout

My thought is that if the above 2 settings are left empty, keycloak will
kill its current browser session and redirect to the IDP login page? Y/N?

If SLSU is set will call into the IDP logout url, kill browser session and
display IDP login page.
What is Backchannel Logout ON/OFF doing.
Keycloak devs, anyone can explain in details around logout through
keycloak.js?

Problem I see, when brokering Shibboleth, it fires request on shib and it
returns AuthFailed response- no idea why.
Same flow, when IDP is ADFS runs just fine.
I know shib I am forced to use is an outdated one: 2.3.3

Thanks


From Edgar at info.nl  Thu Nov 24 10:18:40 2016
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Thu, 24 Nov 2016 15:18:40 +0000
Subject: [keycloak-user] Hardcoded role mappers in user federation provider
 - roles not applied
Message-ID: <48AD9DE5-2C6E-42D9-B39D-9F5F7DC456EA@info.nl>

Hi all,

We are struggling with the hardcoded role mapper in Keycloak 2.3.0.Final.

What we have is a User Federation provider that connects to MSAD/LDAP with:
- a hardcoded role mapper that adds role X
- a hardcoded role mapper that adds role Y
- a role mappings mapper that maps all LDAP groups in a certain DN to predefined roles in Keycloak; now the thing is: these LDAP groups map to the very same predefined roles X and Y

My first question: is this setup supposed to work? Do the hardcoded role mappers play nicely with a role mappings mapper when they use the same roles?

What we see is so far kind of unpredictable. Sometimes users end up with role X, sometimes with no role at all, etc. 

What I think is happening is:
- the mappers are applied in random order in Keycloak (is this the case?)
- the role mappings mapper may remove roles X and/or Y if they are applied to a hardcoded role mapper if it happens to be applied last?

cheers

Edgar



From i.pop at centurylink.net  Thu Nov 24 14:11:52 2016
From: i.pop at centurylink.net (i.pop at centurylink.net)
Date: Thu, 24 Nov 2016 14:11:52 -0500 (EST)
Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION,
	OFFLINE_USER_SESSION tables
Message-ID: <137175604.28982403.1480014712412.JavaMail.root@centurylink.net>


Hi, 
Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up? 


Thanks, 
Ioan 

From keycloaklist at ulise.de  Thu Nov 24 17:34:57 2016
From: keycloaklist at ulise.de (Uli SE)
Date: Thu, 24 Nov 2016 23:34:57 +0100
Subject: [keycloak-user] NTLM Authentication with keycloak mail
In-Reply-To: <51bb0ef3-c5fc-5a6c-34d7-0ac9a647a7f6@ulise.de>
References: <51bb0ef3-c5fc-5a6c-34d7-0ac9a647a7f6@ulise.de>
Message-ID: <8104a16a-454c-2ccd-caeb-9bc1248a57bc@ulise.de>

Yes, I did it. Works perfect. Had some problems with a antivir/firewall, 
but not with keycloak. The effect was: Thunderbird was able send a mail, 
keycloak ( or java ) wasn?t.

Sorry for the question.

Uli




Am 24.11.2016 um 15:41 schrieb Uli SE:
> Hi,
>
> is there a way to connect the keycloak mail feature (smtp) to an
> exchange server using ntlm autentication?
>
> Many thanks,
>
> Uli
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From jessec at stytch.com  Thu Nov 24 19:48:55 2016
From: jessec at stytch.com (Jesse Chahal)
Date: Thu, 24 Nov 2016 16:48:55 -0800
Subject: [keycloak-user] Wildfly adapter: failed to turn code into token:
	java.net.SocketException
Message-ID: <CAP26fkeft5QOpuv+_uriKQXLdai3MwDRiCzAaDwKFoy=O5PioQ@mail.gmail.com>

We very recently started working on moving our web/app servers to AWS ECS
(docker). We have been using docker locally for a very long time without
issues.
During this transition we started seeing intermittent login failures
through the normal confidential browser redirect flow (not using implicit).
It inconsistently fails during the process of turning an authorization code
into a bearer+refresh_token. The exception is always the same as well. I
have done
tcpdumps packet analysis for things such as RST packets but have not seen
anything that would result in this issue. I have confirmed that the adapter
does
have the authorization code (although I don't know how to validate it). I
have confirmed that the the date+times are synchronized in both the auth
server
and the app server (therefore no weird expiration issues).
I have posted a stacktrace from the adapter incase anyone else has seen
this issue before. I'm hoping at the very least that maybe we could add a
retry
mechanism to the adapter if a Connection reset issues occurs if no other
solutions present themselves.

Current network setup:
Keycloak.2.1.0.Final on Centos6 EC2/VM --> AWS ELB load balancer -->
internet -->

     ?
 <---------------------------------------------------------------------
-----------
?
AWS NAT Gateway --> AWS ELB load balancer --> Amazon Linux ECS EC2/VM -->
Wildfly10 docker container + keycloak 2.1.0-wildfly-adapter


ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-13) [
 ] failed to turn code into token: java.net.SocketException: Connection
reset
        at java.net.SocketInputStream.read(SocketInputStream.java:209)
[rt.jar:1.8.0_111]
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
[rt.jar:1.8.0_111]
        at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
[jsse.jar:1.8.0_111]
        at sun.security.ssl.InputRecord.read(InputRecord.java:503)
[jsse.jar:1.8.0_111]
        at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
[jsse.jar:1.8.0_111]
        at
sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
[jsse.jar:1.8.0_111]
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
[jsse.jar:1.8.0_111]
        at
org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:160)
        at
org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:84)
        at
org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:273)
        at
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:140)
        at
org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:57)
        at
org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:261)
        at
org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:283)
        at
org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:251)
        at
org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:223)
        at
org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:272)
        at
org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:124)
        at
org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:685)
        at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:487)
        at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
        at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
        at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
        at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
        at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
        at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
        at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
        at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
        at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
        at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
        at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
        at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
        at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
[rt.jar:1.8.0_111]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
[rt.jar:1.8.0_111]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]

2016-11-24 22:37:14,255 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
[  ] UserIdentityServiceImpl:findByEmail took 484 ms
2016-11-24 22:37:14,256 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
[  ] AccountSrvImpl:isCurrentAccountUnknown took 499 ms
2016-11-24 22:37:14,257 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
[  ] BrandedVariableLookupSrvImpl:cacheKey took 500 ms
2016-11-24 22:37:14,959 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
[  ] UserIdentityServiceImpl:findByEmail took 697 ms
2016-11-24 22:37:14,960 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
[  ] AccountSrvImpl:isCurrentAccountUnknown took 701 ms
2016-11-24 22:37:14,962 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
[  ] BrandedVariableLookupSrvImpl:getVariables took 703 ms
2016-11-24 22:37:15,095 INFO
 [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
task-14) [  ] Setting clientId [gwt_43cpg2jpm5oklfjkuue204jsmh] for session
[qAYdgQ6PytsZ8kG5ah6mxEdmGeNPQpgT_2ExqU6A] created [1480026525644]
2016-11-24 22:37:15,096 INFO
 [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
task-14) [  ] clientRequestId via atomic integer =
[gwt_43cpg2jpm5oklfjkuue204jsmh_0]
2016-11-24 22:37:15,138 INFO
 [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
task-15) [  ] clientRequestId via atomic integer =
[gwt_43cpg2jpm5oklfjkuue204jsmh_1]
2016-11-24 22:37:15,224 INFO
 [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
task-12) [  ] clientRequestId via atomic integer =
[gwt_43cpg2jpm5oklfjkuue204jsmh_2]
2016-11-24 22:37:15,635 WARN
 [com.indicee.service.authorization.EjbTimerInterceptor]
(dInitialHandler.java:284)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletIni
tialHandler.java:263)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialH
andler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletIni
tialHandler.java:174)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:114
2) [rt.jar:1.8.0_111]
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:61
7) [rt.jar:1.8.0_111]
        at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]

From mariusz at info.nl  Fri Nov 25 02:42:37 2016
From: mariusz at info.nl (Mariusz Chruscielewski - Info.nl)
Date: Fri, 25 Nov 2016 07:42:37 +0000
Subject: [keycloak-user] Keycloak - force session revalidation (update?)
Message-ID: <VI1PR0701MB18548CA133F84893D466C39AB3890@VI1PR0701MB1854.eurprd07.prod.outlook.com>

Hi,

In our case, when customer pays for subscription, we add subscription number and additional role to his account in KC. During this process customer is logged in, is there a way to smoothly update his session details, to include new role (without logout/login) ?

We use Java adapter to secure our webapp. Is there a way to update Keycloak Context from java (API call?)

Kind Regards,

Mariusz Chru?cielewski

software engineer

mariusz at info.nl<mailto:mariusz at info.nl>  |  LinkedIn<https://www.linkedin.com/in/mariusz-chruscielewski>  |  +31 (0)20 530 9113<tel:+31205309113%20>

info.nl <http://www.info.nl>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From mail at jonasw.de  Fri Nov 25 03:25:32 2016
From: mail at jonasw.de (Jonas Weber)
Date: Fri, 25 Nov 2016 09:25:32 +0100
Subject: [keycloak-user] User Federation Mapper :: LDAP :: group-ldap-mapper
 gives NullPointerException
In-Reply-To: <1479998660497.15812.13628@webmail2>
References: <1479998444632.72126.13614@webmail7>
	<1479998660497.15812.13628@webmail2>
Message-ID: <1480062332213.15786.19460@webmail2>

Hi,

I'm using the current jboss/keycloak-postgres:2.4.0.Final Docker image to spin up a KeyCloak instance (in connection with a dockerized Postgres and an external OpenLDAP). When I use a User Federation provider based on LDAP I can sync users perfectly fine.

But it fails when I try to use a group-ldap-mapper or a role-ldap-mapper with a NullPointerException on sync (<http://pastebin.com/raw/8X3cfh1i>):

13:07:26,114 ERROR [io.undertow.request] (default task-29) UT005023: Exception handling request to /auth/admin/realms/master/user-storage/eff22c64-a503-4f19-a5bc-80950c8f29f5/mappers/e66ce32c-a3e5-4f4c-a629-4ced9ab571dd/sync: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.services.resources.admin.UserStorageProviderResource.syncMapperData(UserStorageProviderResource.java:147) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more

Am I doing something wrong? Or is this a bug?

Best regards,
Jonas Weber


From mposolda at redhat.com  Fri Nov 25 03:50:20 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 25 Nov 2016 09:50:20 +0100
Subject: [keycloak-user] User Federation Mapper :: LDAP ::
 group-ldap-mapper gives NullPointerException
In-Reply-To: <1480062332213.15786.19460@webmail2>
References: <1479998444632.72126.13614@webmail7>
	<1479998660497.15812.13628@webmail2>
	<1480062332213.15786.19460@webmail2>
Message-ID: <1154c7aa-ec6d-df50-6afb-49c998e608e2@redhat.com>

Could you please create JIRA for this?

Thanks,
Marek

On 25/11/16 09:25, Jonas Weber wrote:
> Hi,
>
> I'm using the current jboss/keycloak-postgres:2.4.0.Final Docker image to spin up a KeyCloak instance (in connection with a dockerized Postgres and an external OpenLDAP). When I use a User Federation provider based on LDAP I can sync users perfectly fine.
>
> But it fails when I try to use a group-ldap-mapper or a role-ldap-mapper with a NullPointerException on sync (<http://pastebin.com/raw/8X3cfh1i>):
>
> 13:07:26,114 ERROR [io.undertow.request] (default task-29) UT005023: Exception handling request to /auth/admin/realms/master/user-storage/eff22c64-a503-4f19-a5bc-80950c8f29f5/mappers/e66ce32c-a3e5-4f4c-a629-4ced9ab571dd/sync: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jbo!
>   ss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAsso!
>   ciationHandler.handleRequest(SecurityContextAssociationHandler!
>   .java:78
> ) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.Not!
>   ificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.!
>   java:174) at io.undertow.server.Connectors.executeRootHandler(!
>   Connecto
> rs.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.services.resources.admin.UserStorageProviderResource.syncMapperData(UserStorageProviderResource.java:147) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMe!
>   thodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more
>
> Am I doing something wrong? Or is this a bug?
>
> Best regards,
> Jonas Weber
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user





From mposolda at redhat.com  Fri Nov 25 04:01:40 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 25 Nov 2016 10:01:40 +0100
Subject: [keycloak-user] Wildfly adapter: failed to turn code into
 token: java.net.SocketException
In-Reply-To: <CAP26fkeft5QOpuv+_uriKQXLdai3MwDRiCzAaDwKFoy=O5PioQ@mail.gmail.com>
References: <CAP26fkeft5QOpuv+_uriKQXLdai3MwDRiCzAaDwKFoy=O5PioQ@mail.gmail.com>
Message-ID: <c560d971-464b-d1da-6b51-3c35a8e313f7@redhat.com>

Does this happen just if more users tries to login concurrently? It 
seems there is some limit somewhere for the number of maximum 
connections. Maybe it will help to increase maximum number of threads at 
the undertow subsystem on Keycloak side, or maybe at the AWS ELB load 
balancer side? Or maybe there is even some limit at the docker level?

AFAIK The Apache HTTP Client (which is used by our adapters under the 
hood for exchange code to token) has some retry strategy enabled by 
default. AFAIK we don't allow to tweak this, but it's likely 1 or 2 
retries for each HTTP failed request AFAIK. However this should be 
rather tweaked by increasing the pool of connections for your server. 
Relying on Apache HTTP client retryies doesn't look like good solution IMO.

Marek

On 25/11/16 01:48, Jesse Chahal wrote:
> We very recently started working on moving our web/app servers to AWS ECS
> (docker). We have been using docker locally for a very long time without
> issues.
> During this transition we started seeing intermittent login failures
> through the normal confidential browser redirect flow (not using implicit).
> It inconsistently fails during the process of turning an authorization code
> into a bearer+refresh_token. The exception is always the same as well. I
> have done
> tcpdumps packet analysis for things such as RST packets but have not seen
> anything that would result in this issue. I have confirmed that the adapter
> does
> have the authorization code (although I don't know how to validate it). I
> have confirmed that the the date+times are synchronized in both the auth
> server
> and the app server (therefore no weird expiration issues).
> I have posted a stacktrace from the adapter incase anyone else has seen
> this issue before. I'm hoping at the very least that maybe we could add a
> retry
> mechanism to the adapter if a Connection reset issues occurs if no other
> solutions present themselves.
>
> Current network setup:
> Keycloak.2.1.0.Final on Centos6 EC2/VM --> AWS ELB load balancer -->
> internet -->
>
>       ?
>   <---------------------------------------------------------------------
> -----------
> ?
> AWS NAT Gateway --> AWS ELB load balancer --> Amazon Linux ECS EC2/VM -->
> Wildfly10 docker container + keycloak 2.1.0-wildfly-adapter
>
>
> ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-13) [
>   ] failed to turn code into token: java.net.SocketException: Connection
> reset
>          at java.net.SocketInputStream.read(SocketInputStream.java:209)
> [rt.jar:1.8.0_111]
>          at java.net.SocketInputStream.read(SocketInputStream.java:141)
> [rt.jar:1.8.0_111]
>          at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
> [jsse.jar:1.8.0_111]
>          at sun.security.ssl.InputRecord.read(InputRecord.java:503)
> [jsse.jar:1.8.0_111]
>          at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
> [jsse.jar:1.8.0_111]
>          at
> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
> [jsse.jar:1.8.0_111]
>          at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
> [jsse.jar:1.8.0_111]
>          at
> org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffer(AbstractSessionInputBuffer.java:160)
>          at
> org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketInputBuffer.java:84)
>          at
> org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(AbstractSessionInputBuffer.java:273)
>          at
> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:140)
>          at
> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:57)
>          at
> org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:261)
>          at
> org.apache.http.impl.AbstractHttpClientConnection.receiveResponseHeader(AbstractHttpClientConnection.java:283)
>          at
> org.apache.http.impl.conn.DefaultClientConnection.receiveResponseHeader(DefaultClientConnection.java:251)
>          at
> org.apache.http.impl.conn.AbstractClientConnAdapter.receiveResponseHeader(AbstractClientConnAdapter.java:223)
>          at
> org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:272)
>          at
> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:124)
>          at
> org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:685)
>          at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:487)
>          at
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
>          at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
>          at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
>          at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
>          at
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
>          at
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
>          at
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
>          at
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
>          at
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>          at
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
>          at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
>          at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
>          at
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
>          at
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
>          at
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
>          at
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
>          at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>          at
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
>          at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>          at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>          at
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>          at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>          at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>          at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>          at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
>          at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
>          at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>          at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>          at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> [rt.jar:1.8.0_111]
>          at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> [rt.jar:1.8.0_111]
>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>
> 2016-11-24 22:37:14,255 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
> [  ] UserIdentityServiceImpl:findByEmail took 484 ms
> 2016-11-24 22:37:14,256 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
> [  ] AccountSrvImpl:isCurrentAccountUnknown took 499 ms
> 2016-11-24 22:37:14,257 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
> [  ] BrandedVariableLookupSrvImpl:cacheKey took 500 ms
> 2016-11-24 22:37:14,959 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
> [  ] UserIdentityServiceImpl:findByEmail took 697 ms
> 2016-11-24 22:37:14,960 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
> [  ] AccountSrvImpl:isCurrentAccountUnknown took 701 ms
> 2016-11-24 22:37:14,962 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor] (default task-13)
> [  ] BrandedVariableLookupSrvImpl:getVariables took 703 ms
> 2016-11-24 22:37:15,095 INFO
>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
> task-14) [  ] Setting clientId [gwt_43cpg2jpm5oklfjkuue204jsmh] for session
> [qAYdgQ6PytsZ8kG5ah6mxEdmGeNPQpgT_2ExqU6A] created [1480026525644]
> 2016-11-24 22:37:15,096 INFO
>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
> task-14) [  ] clientRequestId via atomic integer =
> [gwt_43cpg2jpm5oklfjkuue204jsmh_0]
> 2016-11-24 22:37:15,138 INFO
>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
> task-15) [  ] clientRequestId via atomic integer =
> [gwt_43cpg2jpm5oklfjkuue204jsmh_1]
> 2016-11-24 22:37:15,224 INFO
>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
> task-12) [  ] clientRequestId via atomic integer =
> [gwt_43cpg2jpm5oklfjkuue204jsmh_2]
> 2016-11-24 22:37:15,635 WARN
>   [com.indicee.service.authorization.EjbTimerInterceptor]
> (dInitialHandler.java:284)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletIni
> tialHandler.java:263)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialH
> andler.java:81)
>          at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletIni
> tialHandler.java:174)
>          at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>          at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>          at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:114
> 2) [rt.jar:1.8.0_111]
>          at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:61
> 7) [rt.jar:1.8.0_111]
>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Nov 25 04:09:28 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 25 Nov 2016 10:09:28 +0100
Subject: [keycloak-user] keycloak logout.js on brokering idp mode
In-Reply-To: <809d4e91eef1b1fc5452275cda347c23.squirrel@neposoft.com>
References: <809d4e91eef1b1fc5452275cda347c23.squirrel@neposoft.com>
Message-ID: <92e83ef2-4d68-4333-eaba-7d11ffa7669d@redhat.com>

When you call keycloak.js logout, you will be redirected to the Keycloak 
server LogoutEndpoint. This endpoint will:
- remove the UserSession on Keycloak side
- expire the Keycloak browser cookies
- Send separate backchannel request to all the logged applications, 
which uses servlet adapter (NOT javascript applications) and which has 
"admin URL" configured. This backchannel logout will remove the 
HttpSession for every servlet application on it's side
- Other javascript apps logged in same browser relies on Session IFrame 
. More info in our docs. In shortcut, this IFrame checks every 5 seconds 
if browser cookie KEYCLOAK_SESSION still exists on the Keycloak server 
and it will automatically logout if not. In other words, if you have 2 
javascript applications in same browser at different tabs and you call 
logout from the application1, then the application2 will be 
automatically logged-out too within 5 seconds at max.
- In shortcut: All servlet and javascript apps in same browser will be 
automatically logged-out

Hope this helps,
Marek

On 24/11/16 16:06, java_os wrote:
> Anyone here be able to say what really happens behind the scenes when
> using keycloak.js LOGOUT?
> Need to know how it relates to the following 2 configs:
>   - Single Logout Service URL
>   - Backchannel Logout
>
> My thought is that if the above 2 settings are left empty, keycloak will
> kill its current browser session and redirect to the IDP login page? Y/N?
>
> If SLSU is set will call into the IDP logout url, kill browser session and
> display IDP login page.
> What is Backchannel Logout ON/OFF doing.
> Keycloak devs, anyone can explain in details around logout through
> keycloak.js?
>
> Problem I see, when brokering Shibboleth, it fires request on shib and it
> returns AuthFailed response- no idea why.
> Same flow, when IDP is ADFS runs just fine.
> I know shib I am forced to use is an outdated one: 2.3.3
>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Nov 25 04:11:00 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 25 Nov 2016 10:11:00 +0100
Subject: [keycloak-user] Hardcoded role mappers in user federation
 provider - roles not applied
In-Reply-To: <48AD9DE5-2C6E-42D9-B39D-9F5F7DC456EA@info.nl>
References: <48AD9DE5-2C6E-42D9-B39D-9F5F7DC456EA@info.nl>
Message-ID: <33fca8b0-e4e0-0bf4-836f-b650e71b9177@redhat.com>

On 24/11/16 16:18, Edgar Vonk - Info.nl wrote:
> Hi all,
>
> We are struggling with the hardcoded role mapper in Keycloak 2.3.0.Final.
>
> What we have is a User Federation provider that connects to MSAD/LDAP with:
> - a hardcoded role mapper that adds role X
> - a hardcoded role mapper that adds role Y
> - a role mappings mapper that maps all LDAP groups in a certain DN to predefined roles in Keycloak; now the thing is: these LDAP groups map to the very same predefined roles X and Y
>
> My first question: is this setup supposed to work? Do the hardcoded role mappers play nicely with a role mappings mapper when they use the same roles?
>
> What we see is so far kind of unpredictable. Sometimes users end up with role X, sometimes with no role at all, etc.
>
> What I think is happening is:
> - the mappers are applied in random order in Keycloak (is this the case?)
Yes, it is. I was thinking about add priority, but didn't yet do it. 
Could you please create JIRA?

Thanks,
Marek
> - the role mappings mapper may remove roles X and/or Y if they are applied to a hardcoded role mapper if it happens to be applied last?
>
> cheers
>
> Edgar
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Nov 25 04:20:18 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 25 Nov 2016 10:20:18 +0100
Subject: [keycloak-user] how to clean-up OFFLINE_CLIENT_SESSION,
 OFFLINE_USER_SESSION tables
In-Reply-To: <137175604.28982403.1480014712412.JavaMail.root@centurylink.net>
References: <137175604.28982403.1480014712412.JavaMail.root@centurylink.net>
Message-ID: <82f34357-86a0-2703-5496-a2dad5c4fcec@redhat.com>

It seems you are using offline tokens for some of your application 
right? There is periodic cleaner, which will remove the records from the 
expired offline sessions. But timeout for the offline sessions is 30 
days by default. Also the time of "last refresh" is currently updated in 
DB every time when you restart the server (in case that you have 
single-server without cluster).

In other words, if you restart the server at least once every 30 days, 
the table will keep growing. It is probably something we can improve... 
Feel free to create JIRA.

Until that, your possibilities are:
- Decrease the timeout to shorter value than 30 days (can be done in 
admin console)
- Ensure the server is not restarted within 30 days, so the outdated 
sessions can be cleared.
- Use cluster with 2 nodes or more and ensure that at least 1 node is 
always online.

Marek

On 24/11/16 20:11, i.pop at centurylink.net wrote:
> Hi,
> Working with a domain clustered mode and shared ORACLE db , I am noticing {OFFLINE_CLIENT_SESSION, OFFLINE_USER_SESSION} tables keep growing in size. How these tables get cleaned up?
>
>
> Thanks,
> Ioan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Nov 25 04:29:20 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 25 Nov 2016 10:29:20 +0100
Subject: [keycloak-user] Suggestions and fix for e-directory user
 federation provider
In-Reply-To: <CAJWapELmDBY6-SxPQXWyYk8mF_1DVhTnvGsC3Xft5uPCDCEm2A@mail.gmail.com>
References: <CAJWapELmDBY6-SxPQXWyYk8mF_1DVhTnvGsC3Xft5uPCDCEm2A@mail.gmail.com>
Message-ID: <2ac3f816-b152-3864-a5ef-45ffa6584da8@redhat.com>

On 24/11/16 13:32, Tomas Tikovsky wrote:
> Hello everyone,
>
> im using e-directory federation ldap provider and came to this bug
> KEYCLOAK-3099 <https://issues.jboss.org/browse/KEYCLOAK-3099> as i was
> experiencing the same problem.
> e-Directory sends guid attribute as byte[] so it needs to be declared as
> binary the same way as its done for activeDirectory.
> Sending simple diff to fix this issue if you consider this as helpfull.
>
> Novell was acquired by microfocus and their product has been renamed to
> netIQ eDirectory so i incorporated that change as well.
Currently we don't have any support for netIQ eDirectory and we never 
tested with it. Novell eDirectory was community contribution.

Btv. If it uses the guid attribute in same way like activeDirectory, 
then maybe you can just select vendor: "Active Directory" and then just 
change name of UUID attribute manually?
>
> Another thing i noted were 2 incorrect attribute mappings in administration
> console.
>
> "username" -> "uid"
> correct as long as users are enabled for linux (not default) otherwise cn.
> So cn should work for more cases than uid.
>
> "firstname" -> "cn"
> wrong, should be "givenname"
There is some best effort to create mappers according to which vendor 
you choose. So for example if you select "Active Directory" it already 
uses "cn" for username by default. For "OpenLDAP" it uses "uid" for 
username etc. But all things can be configured/changed manually and you 
have possibility to configure mappers exactly according to your LDAP 
environments. (eg. change firstName to "givenName" etc)

Marek
>
> Cheers
>
> Tom
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From jayapriya.atheesan at gmail.com  Fri Nov 25 07:25:31 2016
From: jayapriya.atheesan at gmail.com (JAYAPRIYA ATHEESAN)
Date: Fri, 25 Nov 2016 17:55:31 +0530
Subject: [keycloak-user] Keycloak user registration
References: <5836bfea.c241620a.c2fa9.c175@mx.google.com>
	<d8cebc85-02d8-43d6-a6c9-77c561c8d866@gmail.com> 
Message-ID: <58382dbf.01a8630a.a5994.2025@mx.google.com>

Keeping the list in loop.

So how can we proceed with his?

 

Wont we be able to verify or use that user id again?

 

 

Will the user who we created and missed to verify within 60mins will be
invalid always.. Isn't there anyways by which we can re verify the user?

 

Thanks,

Jayapriya Atheesan

 

From: JAYAPRIYA ATHEESAN [mailto:jayapriya.atheesan at gmail.com] 
Sent: Friday, November 25, 2016 5:48 PM
To: 'abhishek raghav'
Subject: RE: [keycloak-user] Keycloak user registration

 

So how can we proceed with his?

 

Wont we be able to verify or use that user id again?

 

Thanks,

Jayapriya Atheesan

 

From: abhishek raghav [mailto:abhi.raghav007 at gmail.com] 
Sent: Friday, November 25, 2016 2:09 AM
To: JAYAPRIYA ATHEESAN
Subject: Re: [keycloak-user] Keycloak user registration

 

 
<https://tr.cloudmagic.com/h/v6/emailtag/tag/1480019919/785dcb113a471a962e2f
748b73f9be3c/d1f2b524aafcb7088af912ac8a7123fa/9864e6ea0b421de33cfa6f5cd7bdf4
11/9efab2399c7c560b34de477b9aa0a465/ufo.gif> 

In your use case you are trying to verify the email of the registered user
through a link. Since a link is already generated by keycloak as a required
user action and sent to the user's email id that means the user is already
created in keycloak. 

 

So you can not create that user again with the same email id.

via Newton Mail
<https://cloudmagic.com/k/d/mailapp?ct=pi&cv=9.2.5&pv=10.1.1&source=email_fo
oter_2> 

 

On Thu, Nov 24, 2016 at 3:54 PM, JAYAPRIYA ATHEESAN
<jayapriya.atheesan at gmail.com> wrote:

Hi Team,



If I don't verify the email id which I signed up with keycloak and if the
email verification link is expired, how to proceed about it.

If I try to signup using the same email Id, I get an error saying mail id
already exists.

Do we have any solution for this issue?



Thanks,

Jayapriya Atheesan





---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From andrey.saroul at gmail.com  Fri Nov 25 08:08:34 2016
From: andrey.saroul at gmail.com (Andrey Saroul)
Date: Fri, 25 Nov 2016 16:08:34 +0300
Subject: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS ->
	HTTP)
Message-ID: <CAFZbuCO+bHyzkKH3F3dvYDeSJTRWQ6j1Nj9CRXSfvirPUWdURw@mail.gmail.com>

We have an idea to isolate our application in our internal network so that
all communication in that network can go by HTTP.
So we've set up a public nginx server, witch is responsible for
establishing https connections.
Public nginx server forwards requests to another nginx server in secured
internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
But this configuration is not working because of invalid redirect issue.
In our client's json file we have to define auth-server-url with HTTPS
scheme. When we try to specify HTTP Keycloak no longer works.
So my question: is it possible to make things work by HTTP in internal
private network and HTTPS only remain for public access.
Any guidance will be appreciated.

From paal.oliver at gmail.com  Fri Nov 25 09:04:45 2016
From: paal.oliver at gmail.com (=?UTF-8?Q?P=C3=A5l_Oliver_Kristiansen?=)
Date: Fri, 25 Nov 2016 14:04:45 +0000
Subject: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS
	-> HTTP)
In-Reply-To: <CAFZbuCO+bHyzkKH3F3dvYDeSJTRWQ6j1Nj9CRXSfvirPUWdURw@mail.gmail.com>
References: <CAFZbuCO+bHyzkKH3F3dvYDeSJTRWQ6j1Nj9CRXSfvirPUWdURw@mail.gmail.com>
Message-ID: <CAHT+r5i6W77J6kONq5tXGvgt7pmE+C5eGQLsNs7uiob-yaCAPA@mail.gmail.com>

We use this setup and it works fine.

BigIP load balancer in front with HTTPS termination. Behind that, a nginx
server acts as a proxy in front of a docker container running Keycloak.

What do you mean by "But this configuration is not working because of
invalid redirect issue."?

https://keycloak.gitbooks.io/server-installation-and-configuration/content/v/2.4/topics/network/https.html

fre. 25. nov. 2016 kl. 14.10 skrev Andrey Saroul <andrey.saroul at gmail.com>:

> We have an idea to isolate our application in our internal network so that
> all communication in that network can go by HTTP.
> So we've set up a public nginx server, witch is responsible for
> establishing https connections.
> Public nginx server forwards requests to another nginx server in secured
> internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
> But this configuration is not working because of invalid redirect issue.
> In our client's json file we have to define auth-server-url with HTTPS
> scheme. When we try to specify HTTP Keycloak no longer works.
> So my question: is it possible to make things work by HTTP in internal
> private network and HTTPS only remain for public access.
> Any guidance will be appreciated.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
P?l Oliver Kristiansen
Cornix Consulting
92 22 60 41

From java at neposoft.com  Fri Nov 25 10:38:27 2016
From: java at neposoft.com (java_os)
Date: Fri, 25 Nov 2016 10:38:27 -0500
Subject: [keycloak-user] spring sec/boot:: SPA -> Bearer_1 -> Bearer_2
Message-ID: <43193580b98be2f5445396ba005662ce.squirrel@neposoft.com>

What's the best practice on this scenario:
--
SPA (has the token from keycloak.js) -->Rest call--> Bearer_1 -->Rest call
--> Bearer_2

Bearer_1 and Bearer_2 are spring sec/boot enabled.
Rest calls between Bearer_1 and Bearer_2 using resttemplates and injecting
into "Authorization" header the "Bearer token_long_string"

Bearer_1 has the KeycloakAuthenticationToken object.
Bearer_2 needs to be feed in with a valid non-expired token somehow - but
how? Not sure if one can get this out from KeycloakAuthenticationToken and
pass it in onto the header calls to bearer_2.
Is this the right approach for in-flight rest calls between 2 bearers?

What's the best practice on this scenario?
Anyone has done this for real?
- thx.


From sblanc at redhat.com  Fri Nov 25 10:49:22 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 25 Nov 2016 16:49:22 +0100
Subject: [keycloak-user] spring sec/boot:: SPA -> Bearer_1 -> Bearer_2
In-Reply-To: <43193580b98be2f5445396ba005662ce.squirrel@neposoft.com>
References: <43193580b98be2f5445396ba005662ce.squirrel@neposoft.com>
Message-ID: <CAMZCGg-qtP2cemW9Zd6W0Dq5Xnfo-U7d3+WVn=n1Eqq9Uqm+GA@mail.gmail.com>

The SpringSec Adapter offers a KeycloakRestTemplate that will do all the
magic for you ;)
https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/client/KeycloakRestTemplate.java

Check an usage example here :
https://github.com/foo4u/keycloak-spring-demo/blob/master/product-app/src/main/java/org/keycloak/example/spring/product/service/RemoteProductService.java#L19-L28

To get the token "manually", you can try to access the
KeycloakSecurityContext and extract the token from there, look at this
method that does this :

https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/client/KeycloakClientRequestFactory.java#L64

Hope these pointers will help you

Sebi




On Fri, Nov 25, 2016 at 4:38 PM, java_os <java at neposoft.com> wrote:

> What's the best practice on this scenario:
> --
> SPA (has the token from keycloak.js) -->Rest call--> Bearer_1 -->Rest call
> --> Bearer_2
>
> Bearer_1 and Bearer_2 are spring sec/boot enabled.
> Rest calls between Bearer_1 and Bearer_2 using resttemplates and injecting
> into "Authorization" header the "Bearer token_long_string"
>
> Bearer_1 has the KeycloakAuthenticationToken object.
> Bearer_2 needs to be feed in with a valid non-expired token somehow - but
> how? Not sure if one can get this out from KeycloakAuthenticationToken and
> pass it in onto the header calls to bearer_2.
> Is this the right approach for in-flight rest calls between 2 bearers?
>
> What's the best practice on this scenario?
> Anyone has done this for real?
> - thx.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From java at neposoft.com  Fri Nov 25 10:55:39 2016
From: java at neposoft.com (java_os)
Date: Fri, 25 Nov 2016 10:55:39 -0500
Subject: [keycloak-user] spring sec/boot:: SPA -> Bearer_1 -> Bearer_2
In-Reply-To: <CAMZCGg-qtP2cemW9Zd6W0Dq5Xnfo-U7d3+WVn=n1Eqq9Uqm+GA@mail.gmail.com>
References: <43193580b98be2f5445396ba005662ce.squirrel@neposoft.com>
	<CAMZCGg-qtP2cemW9Zd6W0Dq5Xnfo-U7d3+WVn=n1Eqq9Uqm+GA@mail.gmail.com>
Message-ID: <a62498e2e2e4cc68863c08afe0b66478.squirrel@neposoft.com>

Yes Sir - thanks.
good old friend!

> The SpringSec Adapter offers a KeycloakRestTemplate that will do all the
> magic for you ;)
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/client/KeycloakRestTemplate.java
>
> Check an usage example here :
> https://github.com/foo4u/keycloak-spring-demo/blob/master/product-app/src/main/java/org/keycloak/example/spring/product/service/RemoteProductService.java#L19-L28
>
> To get the token "manually", you can try to access the
> KeycloakSecurityContext and extract the token from there, look at this
> method that does this :
>
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/spring-security/src/main/java/org/keycloak/adapters/springsecurity/client/KeycloakClientRequestFactory.java#L64
>
> Hope these pointers will help you
>
> Sebi
>
>
>
>
> On Fri, Nov 25, 2016 at 4:38 PM, java_os <java at neposoft.com> wrote:
>
>> What's the best practice on this scenario:
>> --
>> SPA (has the token from keycloak.js) -->Rest call--> Bearer_1 -->Rest
>> call
>> --> Bearer_2
>>
>> Bearer_1 and Bearer_2 are spring sec/boot enabled.
>> Rest calls between Bearer_1 and Bearer_2 using resttemplates and
>> injecting
>> into "Authorization" header the "Bearer token_long_string"
>>
>> Bearer_1 has the KeycloakAuthenticationToken object.
>> Bearer_2 needs to be feed in with a valid non-expired token somehow -
>> but
>> how? Not sure if one can get this out from KeycloakAuthenticationToken
>> and
>> pass it in onto the header calls to bearer_2.
>> Is this the right approach for in-flight rest calls between 2 bearers?
>>
>> What's the best practice on this scenario?
>> Anyone has done this for real?
>> - thx.
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>



From andrey.saroul at gmail.com  Sat Nov 26 09:30:21 2016
From: andrey.saroul at gmail.com (Andrey Saroul)
Date: Sat, 26 Nov 2016 17:30:21 +0300
Subject: [keycloak-user] Max Login Failures and username_login_failure table
Message-ID: <CAFZbuCMKu1_YW4rW=Emwqv7N8r-vfeuYWO50GJVBxK_3r7i1pw@mail.gmail.com>

Hello!
I used to think that table username_login_failure stores data of login
failures, but I noticed that when user get blocked by incorrectly entering
password, the aformentioned table is still empty. When I searched source
code for table usage I found none. The same trouble for many other tables,
like user_session, offline_user_session... etc. This kinda confuses my
expectations...
Is there any configuration steps I need to make in order to view
corresponding data for this tables? Does this data store only in Infinispan
cache?

From sblanc at redhat.com  Sat Nov 26 17:20:31 2016
From: sblanc at redhat.com (Sebastien Blanc)
Date: Sat, 26 Nov 2016 22:20:31 +0000
Subject: [keycloak-user] Max Login Failures and username_login_failure
	table
In-Reply-To: <CAFZbuCMKu1_YW4rW=Emwqv7N8r-vfeuYWO50GJVBxK_3r7i1pw@mail.gmail.com>
References: <CAFZbuCMKu1_YW4rW=Emwqv7N8r-vfeuYWO50GJVBxK_3r7i1pw@mail.gmail.com>
Message-ID: <CAMZCGg8fN3KAqzJAyih6p6R+_emZHuypz5pVHnf2=oypeP9ywA@mail.gmail.com>

Have you turned on the events in the admin console ? I might be wrong but
that could be the reason.

Le sam. 26 nov. 2016 ? 15:32, Andrey Saroul <andrey.saroul at gmail.com> a
?crit :

> Hello!
> I used to think that table username_login_failure stores data of login
> failures, but I noticed that when user get blocked by incorrectly entering
> password, the aformentioned table is still empty. When I searched source
> code for table usage I found none. The same trouble for many other tables,
> like user_session, offline_user_session... etc. This kinda confuses my
> expectations...
> Is there any configuration steps I need to make in order to view
> corresponding data for this tables? Does this data store only in Infinispan
> cache?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jreg2k at gmail.com  Sun Nov 27 11:56:36 2016
From: jreg2k at gmail.com (James James)
Date: Sun, 27 Nov 2016 17:56:36 +0100
Subject: [keycloak-user] Create user from keycloak UI with FreeIPA backend
Message-ID: <CALBJVV=UMB5uYjUjrarh=2j3UQ=rCXvjzBvcR70D2gEp0cs_LA@mail.gmail.com>

Hello,


I want to be able to create user in the FreeIPA backend from keycloak
registration portal  .. is it possible ? For me it' impossible but I just
want to be sure.

http://lists.jboss.org/pipermail/keycloak-user/2016-June/006607.html

https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/user-federation/sssd.html

Regards.

James Regis

From keycloaklist at ulise.de  Sun Nov 27 14:01:25 2016
From: keycloaklist at ulise.de (Uli SE)
Date: Sun, 27 Nov 2016 20:01:25 +0100
Subject: [keycloak-user] URI in User EMails
Message-ID: <ae1bba01-bb5b-ad50-8e56-48e83d1dd35f@ulise.de>

Hi,

because we are behind a firewall with a reverse proxy, the hostname, the 
users are using is not the hostname of our keycloak server.

The mails, generated by our keycloak are linking to the internal host 
and not to the external domain.

Is there a way to specify the domain, which should be used in the mails?

Thanls,

Uli



From keycloaklist at ulise.de  Sun Nov 27 15:51:49 2016
From: keycloaklist at ulise.de (Uli SE)
Date: Sun, 27 Nov 2016 21:51:49 +0100
Subject: [keycloak-user] URI in User EMails
In-Reply-To: <ae1bba01-bb5b-ad50-8e56-48e83d1dd35f@ulise.de>
References: <ae1bba01-bb5b-ad50-8e56-48e83d1dd35f@ulise.de>
Message-ID: <a577a7e8-4c84-f070-27a5-96d822752fbd@ulise.de>

Need to say, that this problem occurs if I use the "Send-eMail" button 
in the admin console. "Forgot-password" mails work because they have the 
correct baseUri from the request.



Am 27.11.2016 um 20:01 schrieb Uli SE:
> Hi,
>
> because we are behind a firewall with a reverse proxy, the hostname, the
> users are using is not the hostname of our keycloak server.
>
> The mails, generated by our keycloak are linking to the internal host
> and not to the external domain.
>
> Is there a way to specify the domain, which should be used in the mails?
>
> Thanls,
>
> Uli
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From michael_furman at hotmail.com  Sun Nov 27 23:34:20 2016
From: michael_furman at hotmail.com (Michael Furman)
Date: Mon, 28 Nov 2016 04:34:20 +0000
Subject: [keycloak-user] How to configure Keycloak in case of Reverse Proxy
	with NAT?
Message-ID: <AM5PR0701MB2530C1B8A39E387F228914DDF48A0@AM5PR0701MB2530.eurprd07.prod.outlook.com>

Hi all,
I need to configure Keycloak to work behind Reverse Proxy with Network Address Translation
I have servers that have the external IP to access from a browser and internal IP for inter process access.
Also, it is not possible to access from internal IPs to external IPs.

Therefore, the following configuration should be returned upon the call of http://<external IP>/auth/realms/master/.well-known/openid-configuration<http://%3cexternal%20IP%3e/auth/realms/master/.well-known/openid-configuration>:

  "issuer":"http://<external IP>/auth/realms/master<http://%3cexternal%20IP%3e/auth/realms/master>",
  "authorization_endpoint":"http://<external IP>/auth/realms/master/protocol/openid-connect/auth<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/auth>",
  "token_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/token<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/token>",
  "userinfo_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/userinfo<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/userinfo>",
  "jwks_uri":"http://<internal IP>/auth/realms/master/protocol/openid-connect/certs<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/certs>",
  "end_session_endpoint":"http://<external IP>/auth/realms/master/protocol/openid-connect/logout<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/logout>",
  "check_session_iframe":"http://<external IP>/auth/realms/master/protocol/openid-connect/login-status-iframe.html<http://%3cexternal%20IP%3e/auth/realms/master/protocol/openid-connect/login-status-iframe.html>",
  "token_introspection_endpoint":"http://<internal IP>/auth/realms/master/protocol/openid-connect/token/introspect<http://%3cinternal%20IP%3e/auth/realms/master/protocol/openid-connect/token/introspect>",

Will happy for any insights.
Michael


From watson409 at gmail.com  Mon Nov 28 00:15:18 2016
From: watson409 at gmail.com (Brian Watson)
Date: Mon, 28 Nov 2016 00:15:18 -0500
Subject: [keycloak-user] Spring Boot Adapter and SSL Termination Issues
Message-ID: <CAC9D9d-4mfgBfdA0Ava-kJ5Kmi9KyKb+dW542Ta+AP2ryYhZnA@mail.gmail.com>

Hey all,

I am having a problem related to the Spring boot adapter and SSL
termination at the load balancer level. I am using Keycloak
2.1.0.Final.

Locally, when not using HTTPS and setting "keycloak.ssl-required =
none", everything, including using google and facebook as identity
providers, works as expected.

However, I am now trying to deploy my demo to AWS. I am terminating
SSL at the ELB level, and that seems to be causing issues. Here is my
full config (with ... added for secrets & such):

----------
server.port = 8080

keycloak.realm = social
keycloak.realmKey = MIIB...
keycloak.auth-server-url = https://sso...
keycloak.ssl-required = all
keycloak.resource = adapter-client
keycloak.token-store = cookie
keycloak.credentials.secret = ...

keycloak.securityConstraints[0].securityCollections[0].name = secure
keycloak.securityConstraints[0].securityCollections[0].authRoles[0] = user
keycloak.securityConstraints[0].securityCollections[0].patterns[0] = /secure/*
----------

The issue I am having seems to be related to terminating SSL at the
ELB level. When tracing though a login request, all requests from the
browser seem proper. However, I get the following error in the demo
app:

----------

2016-11-28 04:44:59.829 ERROR 2531 --- [nio-8080-exec-5]
o.k.adapters.OAuthRequestAuthenticator   : Adapter requires SSL.
Request: http://keycloakdemo.devcloud.applause.com/secure/index.html?state=...
----------

So, it appears that the adapter is expecting an SSL request, but the
ELB is terminating SSL, so the adapter just sees a HTTP request, and
errors out.

Is there a way to configure the adapter to tell it SSL termination is
happening at the load balancer? I know that keycloak itself has such
configuration, but do the adapters?

Thank you,
Brian Watson

From andrey.saroul at gmail.com  Mon Nov 28 03:45:43 2016
From: andrey.saroul at gmail.com (Andrey Saroul)
Date: Mon, 28 Nov 2016 11:45:43 +0300
Subject: [keycloak-user] Max Login Failures and username_login_failure
	table
In-Reply-To: <CAMZCGg8fN3KAqzJAyih6p6R+_emZHuypz5pVHnf2=oypeP9ywA@mail.gmail.com>
References: <CAFZbuCMKu1_YW4rW=Emwqv7N8r-vfeuYWO50GJVBxK_3r7i1pw@mail.gmail.com>
	<CAMZCGg8fN3KAqzJAyih6p6R+_emZHuypz5pVHnf2=oypeP9ywA@mail.gmail.com>
Message-ID: <CAFZbuCOdfRbvYVaQu1gShPh+6Pym7_B9+hHCqsS0Z0uAeHA6+A@mail.gmail.com>

Yes, they are all turned on.

2016-11-27 1:20 GMT+03:00 Sebastien Blanc <sblanc at redhat.com>:

> Have you turned on the events in the admin console ? I might be wrong but
> that could be the reason.
>
> Le sam. 26 nov. 2016 ? 15:32, Andrey Saroul <andrey.saroul at gmail.com> a
> ?crit :
>
>> Hello!
>> I used to think that table username_login_failure stores data of login
>> failures, but I noticed that when user get blocked by incorrectly entering
>> password, the aformentioned table is still empty. When I searched source
>> code for table usage I found none. The same trouble for many other tables,
>> like user_session, offline_user_session... etc. This kinda confuses my
>> expectations...
>> Is there any configuration steps I need to make in order to view
>> corresponding data for this tables? Does this data store only in
>> Infinispan
>> cache?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From andyyar66 at gmail.com  Mon Nov 28 04:33:04 2016
From: andyyar66 at gmail.com (Andy Yar)
Date: Mon, 28 Nov 2016 10:33:04 +0100
Subject: [keycloak-user] Session timeouts for SPA + bearer backend
Message-ID: <CAMBdEy=QZSWJd8TqpEDV5CPSZweDP4qh-H42RBXCs2AuXejmDA@mail.gmail.com>

Hello,
I'm having a problem with my SPA Anuglar based application.

TD;DR

The app's session seems to be valid (cookies) although requests to backend
fail since its token has expired - openid-connect/token = HTTP 400
(Refreshing token: token expired).

=========================

The app itself is protected with keycloak.js (Access Type: public +
Standard Flow: ON + login_required) and the backend is built with Spring
Security adapter (Access Type: bearer-only).

Everything works fine until I leave the app idle for some time and then
resume using it (requesting from backend). When I do so, the backend starts
to respond with an eror as its session had timed out - openid-connect/token
returns 400. Although, obviously, the session for the app itself hadn't
expired yet.

As far as I know, there is for instance a KEYCLOAK_SESSION cookie which is
checked periodically by keycloak.js. When I remove the cookie manually, it
gets checked and the app gets redirected to its login screen.

KC version used is 2.2.1.Final. My realm token settings:
* Revoke Refresh Token: OFF
* SSO Session Idle: 30mins
* SSO Session Max: 6days
* Offline Session Idle: 30days
* Access Token Lifespan: 15mins
* ditto for Implicit Flow: 18mins

How should I set my app/token settings up to solve this? Should I just
force my client to relog as soon as Refreshing token: token expired? Don't
know what is the proper way to handle this...

Thanks in advance.

From mposolda at redhat.com  Mon Nov 28 04:34:00 2016
From: mposolda at redhat.com (Marek Posolda)
Date: Mon, 28 Nov 2016 10:34:00 +0100
Subject: [keycloak-user] URI in User EMails
In-Reply-To: <a577a7e8-4c84-f070-27a5-96d822752fbd@ulise.de>
References: <ae1bba01-bb5b-ad50-8e56-48e83d1dd35f@ulise.de>
	<a577a7e8-4c84-f070-27a5-96d822752fbd@ulise.de>
Message-ID: <ff436d69-2b30-6773-a5d5-93ca06a664b7@redhat.com>

And when you access admin console, you are going through the proxy as 
well? If yes, then it's maybe the issue on our end, so feel free to 
create JIRA.

Marek

On 27/11/16 21:51, Uli SE wrote:
> Need to say, that this problem occurs if I use the "Send-eMail" button
> in the admin console. "Forgot-password" mails work because they have the
> correct baseUri from the request.
>
>
>
> Am 27.11.2016 um 20:01 schrieb Uli SE:
>> Hi,
>>
>> because we are behind a firewall with a reverse proxy, the hostname, the
>> users are using is not the hostname of our keycloak server.
>>
>> The mails, generated by our keycloak are linking to the internal host
>> and not to the external domain.
>>
>> Is there a way to specify the domain, which should be used in the mails?
>>
>> Thanls,
>>
>> Uli
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From guus.der.kinderen at gmail.com  Mon Nov 28 06:59:51 2016
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Mon, 28 Nov 2016 12:59:51 +0100
Subject: [keycloak-user] Access Token and email address
Message-ID: <CAMJaV9mc+Y2ZF6-NVavV4TRkiiz=yNO3wy=uof0a4Q9t6mS3RA@mail.gmail.com>

Hello,

Is it possible to withhold the email address of a user from a token (unless
a specific claim/role is granted)?

Regards,

  Guus

From guus.der.kinderen at gmail.com  Mon Nov 28 07:12:50 2016
From: guus.der.kinderen at gmail.com (Guus der Kinderen)
Date: Mon, 28 Nov 2016 13:12:50 +0100
Subject: [keycloak-user] Resource server implementation best practices?
Message-ID: <CAMJaV9=inwgCyTPCLT+h7uxiuq_9wiu14JHikXRyBFXOA1gBBA@mail.gmail.com>

Hello,

When implementing one or more services that, based on an access token,
expose data related to the user that's identified in the access token, is
there a "best practice" in regards to handling the available scopes?

I'm debating between having one resource server that exposes all data to
which the token grants access to, versus have a resource server "per
claim", that either returns data, or an error code, based on the presence
of a particular scope within the access token.

Is there a common approach / best practice that covers this?

Regards,

  Guus

From celso.agra at gmail.com  Mon Nov 28 08:25:20 2016
From: celso.agra at gmail.com (Celso Agra)
Date: Mon, 28 Nov 2016 10:25:20 -0300
Subject: [keycloak-user] Fwd: Questions about Themes and JS Validation in
	the Keycloak instance
In-Reply-To: <CAOFYJDt38VF9txQ1qfC-0e0JK0hqJE_NP9c2UoHXdxB1vN+RMA@mail.gmail.com>
References: <CAOFYJDvZZANfkwqAB_N9HJO13VzH=m0_Ns4FNkL4imwnoAYJhA@mail.gmail.com>
	<CAOFYJDt38VF9txQ1qfC-0e0JK0hqJE_NP9c2UoHXdxB1vN+RMA@mail.gmail.com>
Message-ID: <CAOFYJDtGn-Q0CVbscPvvBdUrQDi9kE8gpGN2gm5+HBF8WDEHsg@mail.gmail.com>

Hi,
I'm new on keycloak. I need some help to understand some features, please.
So, I'd like to know about themes. Would be possible to visualize the built
template before deploy it, in the keycloak instance? I'd like to see it
before publish.

Also, I'd like to know if Can I add some javascripts validation on pages,
such as 'user-profile-registration.ftl'.

I searched some examples of templates, but I didn't find examples with that
validation.

Thanks a lot.
Best regards,

Celso Agra

From sthorger at redhat.com  Mon Nov 28 08:42:02 2016
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 28 Nov 2016 14:42:02 +0100
Subject: [keycloak-user] Fwd: Questions about Themes and JS Validation
 in the Keycloak instance
In-Reply-To: <CAOFYJDtGn-Q0CVbscPvvBdUrQDi9kE8gpGN2gm5+HBF8WDEHsg@mail.gmail.com>
References: <CAOFYJDvZZANfkwqAB_N9HJO13VzH=m0_Ns4FNkL4imwnoAYJhA@mail.gmail.com>
	<CAOFYJDt38VF9txQ1qfC-0e0JK0hqJE_NP9c2UoHXdxB1vN+RMA@mail.gmail.com>
	<CAOFYJDtGn-Q0CVbscPvvBdUrQDi9kE8gpGN2gm5+HBF8WDEHsg@mail.gmail.com>
Message-ID: <CAJgngAcCEMD5EinH8yQWjxg-b4M=J8KjTGR_Ne9bdOH+47q5ow@mail.gmail.com>

On 28 November 2016 at 14:25, Celso Agra <celso.agra at gmail.com> wrote:

> Hi,
> I'm new on keycloak. I need some help to understand some features, please.
> So, I'd like to know about themes. Would be possible to visualize the built
> template before deploy it, in the keycloak instance? I'd like to see it
> before publish.
>

No, you'll need to try it out on a live server, but obviously not your
production server


>
> Also, I'd like to know if Can I add some javascripts validation on pages,
> such as 'user-profile-registration.ftl'.
>
> I searched some examples of templates, but I didn't find examples with that
> validation.
>

We don't rely on any javascript on the login related pages by choice, but
you can add some if you want. Just add a javascript to the page with
scripts property in templates.properties and whatever js you want to the
page itself.


>
> Thanks a lot.
> Best regards,
>
> Celso Agra
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ben.quirk at edlogics.com  Mon Nov 28 09:09:52 2016
From: ben.quirk at edlogics.com (Ben Quirk)
Date: Mon, 28 Nov 2016 09:09:52 -0500
Subject: [keycloak-user] Is there a way to include a link within an error
	message resource?
Message-ID: <76d1b01d24981$18c30ad0$4a492070$@edlogics.com>

My scenario: A user requests a password reset but their link expires. When
they click the link, they're shown an error message that comes from the
message property: "invalidCodeMessage".

Is it possible to include a new password reset link here so they can easily
request a new one? 

I figured could do this in the template, however it looks like error.tpl is
used for all errors and the message is being rendered with
"${message.summary}" so I can't easily pass a message parameter through via
the template.

Thanks in advance,

Ben Quirk



From bburke at redhat.com  Mon Nov 28 11:33:27 2016
From: bburke at redhat.com (Bill Burke)
Date: Mon, 28 Nov 2016 11:33:27 -0500
Subject: [keycloak-user] User Federation Mapper :: LDAP ::
 group-ldap-mapper gives NullPointerException
In-Reply-To: <1480062332213.15786.19460@webmail2>
References: <1479998444632.72126.13614@webmail7>
	<1479998660497.15812.13628@webmail2>
	<1480062332213.15786.19460@webmail2>
Message-ID: <77d57e9c-4e4e-a5d7-e4f3-db22940b57c6@redhat.com>

I see the problem...Fixing in 2.5.0, next release




On 11/25/16 3:25 AM, Jonas Weber wrote:
> Hi,
>
> I'm using the current jboss/keycloak-postgres:2.4.0.Final Docker image to spin up a KeyCloak instance (in connection with a dockerized Postgres and an external OpenLDAP). When I use a User Federation provider based on LDAP I can sync users perfectly fine.
>
> But it fails when I try to use a group-ldap-mapper or a role-ldap-mapper with a NullPointerException on sync (<http://pastebin.com/raw/8X3cfh1i>):
>
> 13:07:26,114 ERROR [io.undertow.request] (default task-29) UT005023: Exception handling request to /auth/admin/realms/master/user-storage/eff22c64-a503-4f19-a5bc-80950c8f29f5/mappers/e66ce32c-a3e5-4f4c-a629-4ced9ab571dd/sync: org.jboss.resteasy.spi.UnhandledException: java.lang.NullPointerException at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jbo!
>   ss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAsso!
>   ciationHandler.handleRequest(SecurityContextAssociationHandler!
>   .java:78
> ) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.Not!
>   ificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.!
>   java:174) at io.undertow.server.Connectors.executeRootHandler(!
>   Connecto
> rs.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.keycloak.services.resources.admin.UserStorageProviderResource.syncMapperData(UserStorageProviderResource.java:147) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMe!
>   thodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395) ... 37 more
>
> Am I doing something wrong? Or is this a bug?
>
> Best regards,
> Jonas Weber
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




From lists at merit.unu.edu  Mon Nov 28 15:39:05 2016
From: lists at merit.unu.edu (lists)
Date: Mon, 28 Nov 2016 21:39:05 +0100
Subject: [keycloak-user] NameID formats
Message-ID: <cff57947-3166-ca79-f664-56a5b498d66c@merit.unu.edu>

Hi,

I am using simplesamlphp's builtin "test authentication sources" 
functionality against my keycloak server.

 From what I understand it should be possible to obtain the regular 
username as a NameID, if I ask for the format 
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.

However, simplesaml test auth source keeps telling me:
> NameId	G-6445a8a1-c453-295b-3865-81dd5e4820f6
> Format	urn:oasis:names:tc:SAML:2.0:nameid-format:transient

I am trying to use (mostly) clients that require access to the normal 
username, and not some string like above.

- in keycloak client config I have set NameID format to "username".
- in simplesaml I (think I) request 
urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

So the question: how can I make keycloak return the regular (active 
directory) username to a client?

As a workaround I now use "urn:oid:2.5.4.4" for a username, as for most 
users this is identical to the username.

MJ


From Dimitrios.Gkazgkas at tangoservices.lu  Mon Nov 28 15:45:35 2016
From: Dimitrios.Gkazgkas at tangoservices.lu (dimitrios.gkazgkas)
Date: Mon, 28 Nov 2016 13:45:35 -0700 (MST)
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <CAMZCGg9PDb5PDx9=iWXfT9f7_xD2CqDix90C9iWymQcM3zVRnw@mail.gmail.com>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
	<a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
	<CAMZCGg-A_UYZLx8UNgNQRCPheOrqphF_PxRJyUXmoMen-rWRjg@mail.gmail.com>
	<6308da08-9f12-d162-3ede-05908b6f1fad@merit.unu.edu>
	<CAMZCGg9PDb5PDx9=iWXfT9f7_xD2CqDix90C9iWymQcM3zVRnw@mail.gmail.com>
Message-ID: <1480365935048-1668.post@n6.nabble.com>

Hello what is the status of this issue ?

 Cause i can confirm during a network outage when one LDAP went down (the
first one configured in the connection URL) the Keycloak server hanged.



--
View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-multiple-ldap-servers-failover-tp1567p1668.html
Sent from the keycloak-user mailing list archive at Nabble.com.

From lists at merit.unu.edu  Mon Nov 28 15:53:07 2016
From: lists at merit.unu.edu (lists)
Date: Mon, 28 Nov 2016 21:53:07 +0100
Subject: [keycloak-user] multiple ldap servers (failover)
In-Reply-To: <1480365935048-1668.post@n6.nabble.com>
References: <5e6a9c4e-ff28-73e6-df3b-4896b5ebc78a@merit.unu.edu>
	<6be2eea7-fd61-d291-c6a5-c719fcd38418@gmail.com>
	<a3d4b5ab-9565-453f-8cf9-e74f1ffc6dcb@redhat.com>
	<CAMZCGg-A_UYZLx8UNgNQRCPheOrqphF_PxRJyUXmoMen-rWRjg@mail.gmail.com>
	<6308da08-9f12-d162-3ede-05908b6f1fad@merit.unu.edu>
	<CAMZCGg9PDb5PDx9=iWXfT9f7_xD2CqDix90C9iWymQcM3zVRnw@mail.gmail.com>
	<1480365935048-1668.post@n6.nabble.com>
Message-ID: <dfe0105b-50f2-ecb1-b439-81e9d03e51bd@merit.unu.edu>

Hi,

I did not file an issue, but instead worked around it, by using HAproxy 
on the keycloak server:

- make keycloak talk to haproxy on ldaps://localhost:636
- make haproxy connect to our three ldap backend servers.

As I am using this on most of our other servers as well, so it actually 
makes our config more standard, plus: haproxy keeps a log of backend 
servers coming up and going down, so you know at all times what is going on.

Perhaps this solution works for you too.

Best,
MJ

On 28-11-2016 21:45, dimitrios.gkazgkas wrote:
> Hello what is the status of this issue ?
>
>  Cause i can confirm during a network outage when one LDAP went down (the
> first one configured in the connection URL) the Keycloak server hanged.
>
>
>
> --
> View this message in context: http://keycloak-user.88327.x6.nabble.com/keycloak-user-multiple-ldap-servers-failover-tp1567p1668.html
> Sent from the keycloak-user mailing list archive at Nabble.com.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jessec at stytch.com  Mon Nov 28 19:50:25 2016
From: jessec at stytch.com (Jesse Chahal)
Date: Mon, 28 Nov 2016 16:50:25 -0800
Subject: [keycloak-user] Wildfly adapter: failed to turn code into
	token: java.net.SocketException
In-Reply-To: <c560d971-464b-d1da-6b51-3c35a8e313f7@redhat.com>
References: <CAP26fkeft5QOpuv+_uriKQXLdai3MwDRiCzAaDwKFoy=O5PioQ@mail.gmail.com>
	<c560d971-464b-d1da-6b51-3c35a8e313f7@redhat.com>
Message-ID: <CAP26fkfHiOcAOmVJ5A5ukh9uZMB13icO_sh3BPOnzK1YkyTG8Q@mail.gmail.com>

We have been able to reproduce this problem using a single user where we
dedicated 2 wildfly app servers and 1 keycloak server purely to test this
out. We have also been able to reproduce this when trying to use multiple
users as well (but I think the single user scenario is more important). I
believe it may somehow router/network related but I have yet to find a way
to prove it. I don't believe there are any docker network related
limitations in regards to connections. Before this switch we have been
running keycloak in production for awhile as well as the app servers (on
full VM's instead of docker). It is unlikely that the problem exists in any
of our app servers configuration since the configuration is 99% the same.
In the new setup wildfly app servers live in docker (which are based off of
the official jboss wildfly docker images).


Jesse

On Fri, Nov 25, 2016 at 1:01 AM, Marek Posolda <mposolda at redhat.com> wrote:

> Does this happen just if more users tries to login concurrently? It seems
> there is some limit somewhere for the number of maximum connections. Maybe
> it will help to increase maximum number of threads at the undertow
> subsystem on Keycloak side, or maybe at the AWS ELB load balancer side? Or
> maybe there is even some limit at the docker level?
>
> AFAIK The Apache HTTP Client (which is used by our adapters under the hood
> for exchange code to token) has some retry strategy enabled by default.
> AFAIK we don't allow to tweak this, but it's likely 1 or 2 retries for each
> HTTP failed request AFAIK. However this should be rather tweaked by
> increasing the pool of connections for your server. Relying on Apache HTTP
> client retryies doesn't look like good solution IMO.
>
> Marek
>
>
> On 25/11/16 01:48, Jesse Chahal wrote:
>
>> We very recently started working on moving our web/app servers to AWS ECS
>> (docker). We have been using docker locally for a very long time without
>> issues.
>> During this transition we started seeing intermittent login failures
>> through the normal confidential browser redirect flow (not using
>> implicit).
>> It inconsistently fails during the process of turning an authorization
>> code
>> into a bearer+refresh_token. The exception is always the same as well. I
>> have done
>> tcpdumps packet analysis for things such as RST packets but have not seen
>> anything that would result in this issue. I have confirmed that the
>> adapter
>> does
>> have the authorization code (although I don't know how to validate it). I
>> have confirmed that the the date+times are synchronized in both the auth
>> server
>> and the app server (therefore no weird expiration issues).
>> I have posted a stacktrace from the adapter incase anyone else has seen
>> this issue before. I'm hoping at the very least that maybe we could add a
>> retry
>> mechanism to the adapter if a Connection reset issues occurs if no other
>> solutions present themselves.
>>
>> Current network setup:
>> Keycloak.2.1.0.Final on Centos6 EC2/VM --> AWS ELB load balancer -->
>> internet -->
>>
>>       ?
>>   <---------------------------------------------------------------------
>> -----------
>> ?
>> AWS NAT Gateway --> AWS ELB load balancer --> Amazon Linux ECS EC2/VM -->
>> Wildfly10 docker container + keycloak 2.1.0-wildfly-adapter
>>
>>
>> ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>> task-13) [
>>   ] failed to turn code into token: java.net.SocketException: Connection
>> reset
>>          at java.net.SocketInputStream.read(SocketInputStream.java:209)
>> [rt.jar:1.8.0_111]
>>          at java.net.SocketInputStream.read(SocketInputStream.java:141)
>> [rt.jar:1.8.0_111]
>>          at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
>> [jsse.jar:1.8.0_111]
>>          at sun.security.ssl.InputRecord.read(InputRecord.java:503)
>> [jsse.jar:1.8.0_111]
>>          at
>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>> [jsse.jar:1.8.0_111]
>>          at
>> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
>> [jsse.jar:1.8.0_111]
>>          at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
>> [jsse.jar:1.8.0_111]
>>          at
>> org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffe
>> r(AbstractSessionInputBuffer.java:160)
>>          at
>> org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketI
>> nputBuffer.java:84)
>>          at
>> org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(
>> AbstractSessionInputBuffer.java:273)
>>          at
>> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHea
>> d(DefaultHttpResponseParser.java:140)
>>          at
>> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHea
>> d(DefaultHttpResponseParser.java:57)
>>          at
>> org.apache.http.impl.io.AbstractMessageParser.parse(Abstract
>> MessageParser.java:261)
>>          at
>> org.apache.http.impl.AbstractHttpClientConnection.receiveRes
>> ponseHeader(AbstractHttpClientConnection.java:283)
>>          at
>> org.apache.http.impl.conn.DefaultClientConnection.receiveRes
>> ponseHeader(DefaultClientConnection.java:251)
>>          at
>> org.apache.http.impl.conn.AbstractClientConnAdapter.receiveR
>> esponseHeader(AbstractClientConnAdapter.java:223)
>>          at
>> org.apache.http.protocol.HttpRequestExecutor.doReceiveRespon
>> se(HttpRequestExecutor.java:272)
>>          at
>> org.apache.http.protocol.HttpRequestExecutor.execute(HttpReq
>> uestExecutor.java:124)
>>          at
>> org.apache.http.impl.client.DefaultRequestDirector.tryExecut
>> e(DefaultRequestDirector.java:685)
>>          at
>> org.apache.http.impl.client.DefaultRequestDirector.execute(D
>> efaultRequestDirector.java:487)
>>          at
>> org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>> tractHttpClient.java:882)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:82)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:107)
>>          at
>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>> eableHttpClient.java:55)
>>          at
>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(
>> ServerRequest.java:107)
>>          at
>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
>> OAuthRequestAuthenticator.java:327)
>>          at
>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate
>> (OAuthRequestAuthenticator.java:273)
>>          at
>> org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>> estAuthenticator.java:130)
>>          at
>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>          at
>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>> nticate(ServletKeycloakAuthMech.java:92)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> transition(SecurityContextImpl.java:233)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> transition(SecurityContextImpl.java:250)
>>          at
>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>> access$100(SecurityContextImpl.java:219)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>> ication(SecurityContextImpl.java:121)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.authTransition
>> (SecurityContextImpl.java:96)
>>          at
>> io.undertow.security.impl.SecurityContextImpl.authenticate(S
>> ecurityContextImpl.java:89)
>>          at
>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>          at
>> io.undertow.server.handlers.DisableCacheHandler.handleReques
>> t(DisableCacheHandler.java:33)
>>          at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>          at
>> io.undertow.security.handlers.AuthenticationConstraintHandle
>> r.handleRequest(AuthenticationConstraintHandler.java:51)
>>          at
>> io.undertow.security.handlers.AbstractConfidentialityHandler
>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>          at
>> io.undertow.servlet.handlers.security.ServletConfidentiality
>> ConstraintHandler.handleRequest(ServletConfident
>> ialityConstraintHandler.java:64)
>>          at
>> io.undertow.servlet.handlers.security.ServletSecurityConstra
>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>>          at
>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>          at
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>          at
>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>> ndleRequest(NotificationReceiverHandler.java:50)
>>          at
>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>> Handler.java:43)
>>          at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>          at
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>          at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>          at
>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>          at
>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>> redicateHandler.java:43)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>> stRequest(ServletInitialHandler.java:284)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletInitialHandler.java:263)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialHandler.java:81)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletInitialHandler.java:174)
>>          at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>          at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>          at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> [rt.jar:1.8.0_111]
>>          at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> [rt.jar:1.8.0_111]
>>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>>
>> 2016-11-24 22:37:14,255 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>> task-13)
>> [  ] UserIdentityServiceImpl:findByEmail took 484 ms
>> 2016-11-24 22:37:14,256 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>> task-13)
>> [  ] AccountSrvImpl:isCurrentAccountUnknown took 499 ms
>> 2016-11-24 22:37:14,257 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>> task-13)
>> [  ] BrandedVariableLookupSrvImpl:cacheKey took 500 ms
>> 2016-11-24 22:37:14,959 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>> task-13)
>> [  ] UserIdentityServiceImpl:findByEmail took 697 ms
>> 2016-11-24 22:37:14,960 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>> task-13)
>> [  ] AccountSrvImpl:isCurrentAccountUnknown took 701 ms
>> 2016-11-24 22:37:14,962 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>> task-13)
>> [  ] BrandedVariableLookupSrvImpl:getVariables took 703 ms
>> 2016-11-24 22:37:15,095 INFO
>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>> task-14) [  ] Setting clientId [gwt_43cpg2jpm5oklfjkuue204jsmh] for
>> session
>> [qAYdgQ6PytsZ8kG5ah6mxEdmGeNPQpgT_2ExqU6A] created [1480026525644]
>> 2016-11-24 22:37:15,096 INFO
>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>> task-14) [  ] clientRequestId via atomic integer =
>> [gwt_43cpg2jpm5oklfjkuue204jsmh_0]
>> 2016-11-24 22:37:15,138 INFO
>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>> task-15) [  ] clientRequestId via atomic integer =
>> [gwt_43cpg2jpm5oklfjkuue204jsmh_1]
>> 2016-11-24 22:37:15,224 INFO
>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>> task-12) [  ] clientRequestId via atomic integer =
>> [gwt_43cpg2jpm5oklfjkuue204jsmh_2]
>> 2016-11-24 22:37:15,635 WARN
>>   [com.indicee.service.authorization.EjbTimerInterceptor]
>> (dInitialHandler.java:284)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>> equest(ServletIni
>> tialHandler.java:263)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>> 0(ServletInitialH
>> andler.java:81)
>>          at
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>> equest(ServletIni
>> tialHandler.java:174)
>>          at
>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>          at
>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>          at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:114
>> 2) [rt.jar:1.8.0_111]
>>          at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:61
>> 7) [rt.jar:1.8.0_111]
>>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From solsson at gmail.com  Tue Nov 29 03:44:27 2016
From: solsson at gmail.com (Staffan)
Date: Tue, 29 Nov 2016 09:44:27 +0100
Subject: [keycloak-user] Expose JGroups ports in Docker
	keycloak-ha-postgres
In-Reply-To: <172f3778-45d3-64ee-cf41-034d8a5c1676@akvo.org>
References: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>
	<CAD+Wi2SGxj8jUqyeBm_C2DkfzzeCw30UHndD6+0U659K7ft2dA@mail.gmail.com>
	<CAFvEW4ZOg=A1AaYWc+=LJ1hF_gLn2bmLMK1PoVH9CPtzP3pO3A@mail.gmail.com>
	<172f3778-45d3-64ee-cf41-034d8a5c1676@akvo.org>
Message-ID: <CAFvEW4aXrpAzG-_V__48PQmuDfVtiZ4TEPA3cgf60HZaCYXH2Q@mail.gmail.com>

Hi,

After lots of trial-and-error we're now running Keycloak HA reliably in
Kubernetes. I've summed up our conclusions in
https://github.com/jboss-dockerfiles/keycloak/pull/62.

The JDBC_PING class works out of the box with MySQL and the
`datasource_jndi_name` property is a great fit with Keycloak's config.

I tried KUBE_PING but gave up when the jars weren't available in Keycloak,
and I found docs insufficient for how to build + bundle + configure.

I also tried GOOGLE_PING and, with https://github.com/minio/minio, S3_PING
but ran into access control issues.

The other ping impls may have their advantages, but JDBC_PING worked out of
the box.

/Staffan

On Thu, Nov 10, 2016 at 9:46 AM, Iv?n Perdomo <ivan at akvo.org> wrote:

> Hi,
>
> I'm also interesting on running Keycloak HA with Kubernetes/Google Cloud
> Platform.
>
> > JGroups members use multicast communication over UDP to broadcast
> > their presence to other instances on a network. Google Cloud
> > Platform, like most cloud providers and enterprise networks, does not
> > support multicast
>
> https://cloudplatform.googleblog.com/2016/02/JGroups-based-clustering-and-
> node-discovery-with-Google-Cloud-Storage.html
>
> Do we need to take the route and use GOOGLE_PING method for node discovery?
>
> Any hints on this topic are quite valuable.
>
> Thanks,
>
> On 11/09/2016 02:54 PM, Staffan wrote:
> > I have verified that `hostname -i` works with Minikube, but not yet a
> > multi-node cluster.
> >
> > Created PR https://github.com/jboss-dockerfiles/keycloak/pull/59 for the
> > official HA docker image.
> >
> > Is the following warning in keycloak logs something that affects
> clustering?
> >
> > WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 49) WFLYTX0013:
> Node
> > identifier property is set to the default value. Please make sure it is
> > unique.
> >
> > It can be remedied using
> > https://github.com/Reposoft/keycloak-ha-kubernetes/commit/
> 413665f0c0827f8fa35379cc1f78098124290cd8
> > but I have avoided config file changes.
> >
> > /Staffan
> >
> > On Tue, Nov 8, 2016 at 3:06 PM, Alan Gibson <alan.gibson at gmail.com>
> wrote:
> >
> >> Hi Staffan,
> >>
> >> We've got 3 clustered Keycloak nodes running in Docker with host (not
> >> bridge) networking and managed by Mesos/Marathon. Cluster communications
> >> run over UDP. We start them with the following command.
> >>
> >> /opt/jboss/docker-entrypoint.sh -Dkeycloak.migration.action={{
> keycloak_migration_action}}
> >> -Dkeycloak.migration.provider={{keycloak_migration_provider}}
> >> -Dkeycloak.migration.file={{keycloak_migration_file}}
> >> -Dkeycloak.migration.strategy={{keycloak_migration_strategy}}
> >> -Djboss.jgroups.stack={{keycloak_jgroups_stack}}
> >> -Djboss.jgroups.udp.port={{keycloak_jgroups_udp_port}}
> >> -Djboss.jgroups.udp.multicast.port={{keycloak_jgroups_udp_
> multicast_port}}
> >> -Djboss.jgroups.udp.fd.port={{keycloak_jgroups_udp_fd_port}}
> >> -Djboss.management.http.port=$PORT1 -Djboss.http.port=$PORT0
> >> -Djboss.bind.address.private=$(hostname -i) -b 0.0.0.0 -bmanagement
> >> 0.0.0.0 --server-config standalone-ha.xml
> >>
> >> keycloak_jgroups_stack: udp
> >> keycloak_jgroups_udp_port: 5520
> >> keycloak_jgroups_udp_multicast_port: 4568
> >> keycloak_jgroups_udp_fd_port: 5420
> >>
> >> The magic ingredient is using getting the jboss.bind.address.private
> >> address from the shell with $(hostname -i). Note that this is definitely
> >> not foolproof, so YMMV.
> >>
> >> Br, Alan
> >>
> >> On Tue, Nov 8, 2016 at 11:59 AM, Staffan <solsson at gmail.com> wrote:
> >>
> >>> Hi,
> >>>
> >>> I've tried in different docker environments (compose, kubernetes,
> >>> standalone) to get a HA setup running using https://hub.docker.com/r/
> >>> jboss/keycloak-ha-postgres/
> >>> <https://hub.docker.com/r/jboss/keycloak-ha-postgres/>.
> >>>
> >>> Keycloak nodes start, but are unaware of each other. I fail to reach
> the
> >>> JGroups ports from any other container or host system. That is
> expected,
> >>> as
> >>> https://keycloak.gitbooks.io/server-installation-and-configu
> >>> ration/content/v/2.3/topics/clustering/multicast.html
> >>> advises you to configure jboss.bind.address.private.
> >>>
> >>> But when I try -Djboss.bind.address.private=0.0.0.0 there's an error
> >>> during
> >>> startup:
> >>>
> >>> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> >>> org.jboss.msc.service.StartException in service
> jboss.jgroups.channel.ee:
> >>> java.security.PrivilegedActionException: java.net.BindException:
> [UDP] /
> >>> 0.0.0.0 is not a valid address on any local network interface
> >>>     at org.wildfly.clustering.jgroups.spi.service.
> ChannelBuilder.start(
> >>> ChannelBuilder.java:80)
> >>> Caused by: java.security.PrivilegedActionException:
> >>> java.net.BindException:
> >>> [UDP] /0.0.0.0 is not a valid address on any local network interface
> >>>     at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
> >>> WildFlySecurityManager.java:640)
> >>> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid
> address
> >>> on
> >>> any local network interface
> >>>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
> >>>
> >>> ... or if I switch to stack="tcp" in the jgroups subsystem:
> >>>
> >>> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> >>> org.jboss.msc.service.StartException in service
> jboss.jgroups.channel.ee:
> >>> java.security.PrivilegedActionException: java.net.BindException:
> [TCP] /
> >>> 0.0.0.0 is not a valid address on any local network interface
> >>>
> >>> I guess this is a generic Wildfly topic, but I'm curious how the
> official
> >>> Keycloak docker containers are tested. In a docker environment, what
> can
> >>> we
> >>> bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
> >>> "privileged action"?
> >>>
> >>> regards
> >>> Staffan Olsson
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> >>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
> --
> Iv?n
>

From ivan at akvo.org  Tue Nov 29 03:53:56 2016
From: ivan at akvo.org (=?UTF-8?Q?Iv=c3=a1n_Perdomo?=)
Date: Tue, 29 Nov 2016 09:53:56 +0100
Subject: [keycloak-user] Expose JGroups ports in Docker
 keycloak-ha-postgres
In-Reply-To: <CAFvEW4aXrpAzG-_V__48PQmuDfVtiZ4TEPA3cgf60HZaCYXH2Q@mail.gmail.com>
References: <CAFvEW4Z=5wgcf_xi6mqL3AqB9-=2w8XbUvc9=yE0fGxFWq2C-w@mail.gmail.com>
	<CAD+Wi2SGxj8jUqyeBm_C2DkfzzeCw30UHndD6+0U659K7ft2dA@mail.gmail.com>
	<CAFvEW4ZOg=A1AaYWc+=LJ1hF_gLn2bmLMK1PoVH9CPtzP3pO3A@mail.gmail.com>
	<172f3778-45d3-64ee-cf41-034d8a5c1676@akvo.org>
	<CAFvEW4aXrpAzG-_V__48PQmuDfVtiZ4TEPA3cgf60HZaCYXH2Q@mail.gmail.com>
Message-ID: <734c5a93-aad1-831f-f43c-df11595a5db2@akvo.org>

Hi,

We have also have a running proof-of-concept using Kubernetes on GCP and
CloudSQL (hosted MySQL) as database.

I our case we use GOOGLE_PING for node discovery and disable `ip_mcast`
at JGroups level.

https://github.com/akvo/akvo-platform/tree/master/k8s/keycloak-ha-mysql

On 11/29/2016 09:44 AM, Staffan wrote:
> Hi,
> 
> After lots of trial-and-error we're now running Keycloak HA reliably in
> Kubernetes. I've summed up our conclusions in
> https://github.com/jboss-dockerfiles/keycloak/pull/62.
> 
> The JDBC_PING class works out of the box with MySQL and the
> `datasource_jndi_name` property is a great fit with Keycloak's config.
> 
> I tried KUBE_PING but gave up when the jars weren't available in
> Keycloak, and I found docs insufficient for how to build + bundle +
> configure.
> 
> I also tried GOOGLE_PING and, with https://github.com/minio/minio,
> S3_PING but ran into access control issues.
> 
> The other ping impls may have their advantages, but JDBC_PING worked out
> of the box.
> 
> /Staffan
> 
> On Thu, Nov 10, 2016 at 9:46 AM, Iv?n Perdomo <ivan at akvo.org
> <mailto:ivan at akvo.org>> wrote:
> 
>     Hi,
> 
>     I'm also interesting on running Keycloak HA with Kubernetes/Google Cloud
>     Platform.
> 
>     > JGroups members use multicast communication over UDP to broadcast
>     > their presence to other instances on a network. Google Cloud
>     > Platform, like most cloud providers and enterprise networks, does not
>     > support multicast
> 
>     https://cloudplatform.googleblog.com/2016/02/JGroups-based-clustering-and-node-discovery-with-Google-Cloud-Storage.html
>     <https://cloudplatform.googleblog.com/2016/02/JGroups-based-clustering-and-node-discovery-with-Google-Cloud-Storage.html>
> 
>     Do we need to take the route and use GOOGLE_PING method for node
>     discovery?
> 
>     Any hints on this topic are quite valuable.
> 
>     Thanks,
> 
>     On 11/09/2016 02:54 PM, Staffan wrote:
>     > I have verified that `hostname -i` works with Minikube, but not yet a
>     > multi-node cluster.
>     >
>     > Created PR https://github.com/jboss-dockerfiles/keycloak/pull/59
>     <https://github.com/jboss-dockerfiles/keycloak/pull/59> for the
>     > official HA docker image.
>     >
>     > Is the following warning in keycloak logs something that affects
>     clustering?
>     >
>     > WARN  [org.jboss.as.txn] (ServerService Thread Pool -- 49)
>     WFLYTX0013: Node
>     > identifier property is set to the default value. Please make sure
>     it is
>     > unique.
>     >
>     > It can be remedied using
>     >
>     https://github.com/Reposoft/keycloak-ha-kubernetes/commit/413665f0c0827f8fa35379cc1f78098124290cd8
>     <https://github.com/Reposoft/keycloak-ha-kubernetes/commit/413665f0c0827f8fa35379cc1f78098124290cd8>
>     > but I have avoided config file changes.
>     >
>     > /Staffan
>     >
>     > On Tue, Nov 8, 2016 at 3:06 PM, Alan Gibson <alan.gibson at gmail.com
>     <mailto:alan.gibson at gmail.com>> wrote:
>     >
>     >> Hi Staffan,
>     >>
>     >> We've got 3 clustered Keycloak nodes running in Docker with host (not
>     >> bridge) networking and managed by Mesos/Marathon. Cluster
>     communications
>     >> run over UDP. We start them with the following command.
>     >>
>     >> /opt/jboss/docker-entrypoint.sh
>     -Dkeycloak.migration.action={{keycloak_migration_action}}
>     >> -Dkeycloak.migration.provider={{keycloak_migration_provider}}
>     >> -Dkeycloak.migration.file={{keycloak_migration_file}}
>     >> -Dkeycloak.migration.strategy={{keycloak_migration_strategy}}
>     >> -Djboss.jgroups.stack={{keycloak_jgroups_stack}}
>     >> -Djboss.jgroups.udp.port={{keycloak_jgroups_udp_port}}
>     >>
>     -Djboss.jgroups.udp.multicast.port={{keycloak_jgroups_udp_multicast_port}}
>     >> -Djboss.jgroups.udp.fd.port={{keycloak_jgroups_udp_fd_port}}
>     >> -Djboss.management.http.port=$PORT1 -Djboss.http.port=$PORT0
>     >> -Djboss.bind.address.private=$(hostname -i) -b 0.0.0.0 -bmanagement
>     >> 0.0.0.0 --server-config standalone-ha.xml
>     >>
>     >> keycloak_jgroups_stack: udp
>     >> keycloak_jgroups_udp_port: 5520
>     >> keycloak_jgroups_udp_multicast_port: 4568
>     >> keycloak_jgroups_udp_fd_port: 5420
>     >>
>     >> The magic ingredient is using getting the jboss.bind.address.private
>     >> address from the shell with $(hostname -i). Note that this is
>     definitely
>     >> not foolproof, so YMMV.
>     >>
>     >> Br, Alan
>     >>
>     >> On Tue, Nov 8, 2016 at 11:59 AM, Staffan <solsson at gmail.com
>     <mailto:solsson at gmail.com>> wrote:
>     >>
>     >>> Hi,
>     >>>
>     >>> I've tried in different docker environments (compose, kubernetes,
>     >>> standalone) to get a HA setup running using
>     https://hub.docker.com/r/
>     >>> jboss/keycloak-ha-postgres/
>     >>> <https://hub.docker.com/r/jboss/keycloak-ha-postgres/
>     <https://hub.docker.com/r/jboss/keycloak-ha-postgres/>>.
>     >>>
>     >>> Keycloak nodes start, but are unaware of each other. I fail to
>     reach the
>     >>> JGroups ports from any other container or host system. That is
>     expected,
>     >>> as
>     >>> https://keycloak.gitbooks.io/server-installation-and-configu
>     <https://keycloak.gitbooks.io/server-installation-and-configu>
>     >>> ration/content/v/2.3/topics/clustering/multicast.html
>     >>> advises you to configure jboss.bind.address.private.
>     >>>
>     >>> But when I try -Djboss.bind.address.private=0.0.0.0 there's an error
>     >>> during
>     >>> startup:
>     >>>
>     >>> MSC000001: Failed to start service jboss.jgroups.channel.ee
>     <http://jboss.jgroups.channel.ee>:
>     >>> org.jboss.msc.service.StartException in service
>     jboss.jgroups.channel.ee <http://jboss.jgroups.channel.ee>:
>     >>> java.security.PrivilegedActionException: java.net.BindException:
>     [UDP] /
>     >>> 0.0.0.0 is not a valid address on any local network interface
>     >>>     at
>     org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
>     >>> ChannelBuilder.java:80)
>     >>> Caused by: java.security.PrivilegedActionException:
>     >>> java.net.BindException:
>     >>> [UDP] /0.0.0.0 <http://0.0.0.0> is not a valid address on any
>     local network interface
>     >>>     at
>     org.wildfly.security.manager.WildFlySecurityManager.doChecked(
>     >>> WildFlySecurityManager.java:640)
>     >>> Caused by: java.net.BindException: [UDP] /0.0.0.0
>     <http://0.0.0.0> is not a valid address
>     >>> on
>     >>> any local network interface
>     >>>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>     >>>
>     >>> ... or if I switch to stack="tcp" in the jgroups subsystem:
>     >>>
>     >>> MSC000001: Failed to start service jboss.jgroups.channel.ee
>     <http://jboss.jgroups.channel.ee>:
>     >>> org.jboss.msc.service.StartException in service
>     jboss.jgroups.channel.ee <http://jboss.jgroups.channel.ee>:
>     >>> java.security.PrivilegedActionException: java.net.BindException:
>     [TCP] /
>     >>> 0.0.0.0 is not a valid address on any local network interface
>     >>>
>     >>> I guess this is a generic Wildfly topic, but I'm curious how the
>     official
>     >>> Keycloak docker containers are tested. In a docker environment,
>     what can
>     >>> we
>     >>> bind to other than 0.0.0.0 or 127.0.0.1? Is there a way to allow a
>     >>> "privileged action"?
>     >>>
>     >>> regards
>     >>> Staffan Olsson
>     >>> _______________________________________________
>     >>> keycloak-user mailing list
>     >>> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >>>
>     >>
>     >>
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>     >
> 
>     --
>     Iv?n
> 
> 

-- 
Iv?n


From Edgar at info.nl  Tue Nov 29 04:15:07 2016
From: Edgar at info.nl (Edgar Vonk - Info.nl)
Date: Tue, 29 Nov 2016 09:15:07 +0000
Subject: [keycloak-user] Hardcoded role mappers in user federation
 provider - roles not applied
In-Reply-To: <33fca8b0-e4e0-0bf4-836f-b650e71b9177@redhat.com>
References: <48AD9DE5-2C6E-42D9-B39D-9F5F7DC456EA@info.nl>
	<33fca8b0-e4e0-0bf4-836f-b650e71b9177@redhat.com>
Message-ID: <C3074DAE-670A-46D6-AC36-1AB836DC8964@info.nl>

Hi Marek,

I have created https://issues.jboss.org/browse/KEYCLOAK-3994. Hope it?s clear enough.

cheers

Edgar


On 25 Nov 2016, at 10:11, Marek Posolda <mposolda at redhat.com<mailto:mposolda at redhat.com>> wrote:

On 24/11/16 16:18, Edgar Vonk - Info.nl<http://info.nl/> wrote:
Hi all,

We are struggling with the hardcoded role mapper in Keycloak 2.3.0.Final.

What we have is a User Federation provider that connects to MSAD/LDAP with:
- a hardcoded role mapper that adds role X
- a hardcoded role mapper that adds role Y
- a role mappings mapper that maps all LDAP groups in a certain DN to predefined roles in Keycloak; now the thing is: these LDAP groups map to the very same predefined roles X and Y

My first question: is this setup supposed to work? Do the hardcoded role mappers play nicely with a role mappings mapper when they use the same roles?

What we see is so far kind of unpredictable. Sometimes users end up with role X, sometimes with no role at all, etc.

What I think is happening is:
- the mappers are applied in random order in Keycloak (is this the case?)
Yes, it is. I was thinking about add priority, but didn't yet do it. Could you please create JIRA?

Thanks,
Marek
- the role mappings mapper may remove roles X and/or Y if they are applied to a hardcoded role mapper if it happens to be applied last?

cheers

Edgar


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From solsson at gmail.com  Tue Nov 29 04:31:40 2016
From: solsson at gmail.com (Staffan)
Date: Tue, 29 Nov 2016 10:31:40 +0100
Subject: [keycloak-user] Accessing JGroups ports in Docker
	keycloak-ha-postgres
In-Reply-To: <CAFvEW4Yu7Ght9se2BBSQxDJHNA4WPL9brmsBEWdgpO4umuSqfA@mail.gmail.com>
References: <CAFvEW4Yu7Ght9se2BBSQxDJHNA4WPL9brmsBEWdgpO4umuSqfA@mail.gmail.com>
Message-ID: <CAFvEW4YK6Yo61D1-FGt+OJjK7pxeevBGtg-A6V1aA56RV98r8w@mail.gmail.com>

After lots of experimentation, I found keycloak-mysql to be more useful
than keycloak-ha-postgres for HA in Kubernetes. See
https://github.com/jboss-dockerfiles/keycloak/pull/62

There is some more background in the JGroups mailing list thread "Expose
JGroups ports in Docker keycloak-ha-postgres".

/Staffan

On Tue, Nov 8, 2016 at 11:29 AM, Staffan <solsson at gmail.com> wrote:

> Hi,
>
> I've tried in different docker environments (compose, kubernetes,
> standalone) to get a HA setup running using https://hub.docker.com/r/
> jboss/keycloak-ha-postgres/.
>
> Keycloak nodes start all right, but are unaware of each other. Curiously I
> fail to reach the JGroups ports from any other container or host system.
>
> When I try -Djboss.bind.address.private=0.0.0.0 there's an error during
> startup:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [UDP] /
> 0.0.0.0 is not a valid address on any local network interface
>     at org.wildfly.clustering.jgroups.spi.service.ChannelBuilder.start(
> ChannelBuilder.java:80)
> Caused by: java.security.PrivilegedActionException:
> java.net.BindException: [UDP] /0.0.0.0 is not a valid address on any
> local network interface
>     at org.wildfly.security.manager.WildFlySecurityManager.doChecked(
> WildFlySecurityManager.java:640)
> Caused by: java.net.BindException: [UDP] /0.0.0.0 is not a valid address
> on any local network interface
>     at org.jgroups.util.Util.checkIfValidAddress(Util.java:3522)
>
> ... or if I switch to stack="tcp" in the jgroups subsystem:
>
> MSC000001: Failed to start service jboss.jgroups.channel.ee:
> org.jboss.msc.service.StartException in service jboss.jgroups.channel.ee:
> java.security.PrivilegedActionException: java.net.BindException: [TCP] /
> 0.0.0.0 is not a valid address on any local network interface
>
> I guess this is a generic Wildfly topic, but I'm curious how the official
> Keycloak docker containers are tested. In a docker context, the only two
> interfaces I can bind to are 0.0.0.0 and 127.0.0.1.
>
> regards
> Staffan Olsson
>
>
>

From haimv at perfectomobile.com  Tue Nov 29 10:46:55 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 29 Nov 2016 15:46:55 +0000
Subject: [keycloak-user] Password policy when password is updated using
	admin API
Message-ID: <HE1PR0301MB25702CD39625A566D329F2AED28D0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

Hi,

Currently Keycloak is not exposed directly to our customers, hence all user operations are being done in our application background using the admin API.

We noticed that when changing user password from the admin API the password policy is not enforced, for example when setting password history policy.

Can you please advise if is it by design ?
If so do you have any suggestion how to handle the password policy in our case (using the admin API we can't get the user current or previous passwords) ?


Thanks,
Haim.


The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From haimv at perfectomobile.com  Tue Nov 29 11:18:48 2016
From: haimv at perfectomobile.com (Haim Vana)
Date: Tue, 29 Nov 2016 16:18:48 +0000
Subject: [keycloak-user] Password policy when password is updated using
	admin API
Message-ID: <HE1PR0301MB2570B2AADF6B84877A944695D28D0@HE1PR0301MB2570.eurprd03.prod.outlook.com>

I checked it again and the password policy is enforced :) I accidently set its value to 1 so it didn't do anything (maybe a UI warning should be added).

However when failing on the password reset from the admin API due to the policy I am getting - javax.ws.rs.BadRequestException: HTTP 400 Bad Request, while I was expecting something like - password history exception or something like that.

Any idea how I can notify the user that its password was already used ?


Thanks,
Haim.

From: Haim Vana
Sent: Tuesday, November 29, 2016 5:47 PM
To: keycloak-user at lists.jboss.org
Cc: Boaz Hamo <boazh at perfectomobile.com>; Moshe Ben-Shoham <mosheb at perfectomobile.com>
Subject: Password policy when password is updated using admin API

Hi,

Currently Keycloak is not exposed directly to our customers, hence all user operations are being done in our application background using the admin API.

We noticed that when changing user password from the admin API the password policy is not enforced, for example when setting password history policy.

Can you please advise if is it by design ?
If so do you have any suggestion how to handle the password policy in our case (using the admin API we can't get the user current or previous passwords) ?


Thanks,
Haim.


The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

From amaeztu at tesicnor.com  Tue Nov 29 11:25:18 2016
From: amaeztu at tesicnor.com (Aritz Maeztu)
Date: Tue, 29 Nov 2016 17:25:18 +0100
Subject: [keycloak-user] How to stop the keycloak server from standalone sh
Message-ID: <608772ee-ef7a-d363-523f-831ca305e905@tesicnor.com>

Hello,

I'm running a keycloak instance from a docker image, so when I start the 
container everything is up an running. Now I want to export the realms 
and users to deploy it in production and I've got two chances:

1- Copy the values from the mysql database (I'm using the keycloak-mysql 
image).

2- Run the standalone.sh export command.

I would like to go the second way, but I'm into trouble since the 
widlfly server is launched with the docker container altogether. I can 
browse in to it for the standalone.sh script, but still haven't found a 
way to stop it (as the server is launched I get a "Address already in 
use" error when I try to perform the export while the server is running).

Any ideas? Thanks in advance



-- 
Aritz Maeztu Ota?o
Departamento Desarrollo de Software 
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com> 	

Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretar?a: 948 21 40 40

Antes de imprimir este e-mail piense bien si es necesario hacerlo: El 
medioambiente es cosa de todos.


From ssilvert at redhat.com  Tue Nov 29 13:00:52 2016
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 29 Nov 2016 13:00:52 -0500
Subject: [keycloak-user] How to stop the keycloak server from standalone
 sh
In-Reply-To: <608772ee-ef7a-d363-523f-831ca305e905@tesicnor.com>
References: <608772ee-ef7a-d363-523f-831ca305e905@tesicnor.com>
Message-ID: <583DC254.7050303@redhat.com>

If I understand correctly, you are asking if there is a way to trigger 
the export when you don't have access to the command line?

You want to do something like this?

|bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT TO>

|

|It is possible to set system properties like those above from 
standalone.xml. If you don't have direct access to edit standalone.xml, 
you can set them with the WildFly admin console or connect with jboss-cli.|
||
|Then |reboot the server and the export should happen.  I say "should" 
because I've never actually tried it.
||

On 11/29/2016 11:25 AM, Aritz Maeztu wrote:
> Hello,
>
> I'm running a keycloak instance from a docker image, so when I start the
> container everything is up an running. Now I want to export the realms
> and users to deploy it in production and I've got two chances:
>
> 1- Copy the values from the mysql database (I'm using the keycloak-mysql
> image).
>
> 2- Run the standalone.sh export command.
>
> I would like to go the second way, but I'm into trouble since the
> widlfly server is launched with the docker container altogether. I can
> browse in to it for the standalone.sh script, but still haven't found a
> way to stop it (as the server is launched I get a "Address already in
> use" error when I try to perform the export while the server is running).
>
> Any ideas? Thanks in advance
>
>
>


From chris.stephens at edlogics.com  Tue Nov 29 18:36:52 2016
From: chris.stephens at edlogics.com (Chris Stephens)
Date: Tue, 29 Nov 2016 23:36:52 +0000
Subject: [keycloak-user] Does refreshing the token extend the session?
Message-ID: <2D96A84A-E0D9-4945-A098-5D56D3D1CDFD@edlogics.com>

We have an angular app and are using the keycloak js adapter. We refresh the token if it expires within 5 seconds. We also refresh the token every 15 minutes. Our users can jump in and out of our angular app. When they come back in the initialization logic goes to the key cloak server to make sure they are logged in. What our QA team is telling us is after 2-3 hours of clicking on the site the user is no longer logged in, but some of the calls with bearer tokens still go through. We need to know if refreshing the token or doing the 'check-sso' extends the session.


Christopher Stephens


From jessec at stytch.com  Tue Nov 29 18:50:28 2016
From: jessec at stytch.com (Jesse Chahal)
Date: Tue, 29 Nov 2016 15:50:28 -0800
Subject: [keycloak-user] Wildfly adapter: failed to turn code into
	token: java.net.SocketException
In-Reply-To: <CAP26fkfHiOcAOmVJ5A5ukh9uZMB13icO_sh3BPOnzK1YkyTG8Q@mail.gmail.com>
References: <CAP26fkeft5QOpuv+_uriKQXLdai3MwDRiCzAaDwKFoy=O5PioQ@mail.gmail.com>
	<c560d971-464b-d1da-6b51-3c35a8e313f7@redhat.com>
	<CAP26fkfHiOcAOmVJ5A5ukh9uZMB13icO_sh3BPOnzK1YkyTG8Q@mail.gmail.com>
Message-ID: <CAP26fke_xPMvAyaXWzaZKXu9U4a5k6b2mSZmk+=Cz3gUnRiKpA@mail.gmail.com>

I've found the cause of the Issue and wanted to report back incase others
also have this issue. The problem was being caused by AWS NAT Gateway
instances terminating long lived Connections after 5mins using a RST packet
instead of a FIN packet (read up on TCP protocol if unfamiliar with the
different packet types). In our case the keycloak server and the app
servers live in different networks, they need to go through the NAT Gateway
to talk to each other. It is considered good (and common) practice in the
AWS world to use NAT Gateways. The apache HTTPClient does connection
pooling with 20 connections by default. It also supposedly does retry once
or twice. The problem here is that all the connections within the pool are
essentially dead because of RST packets sent to all connections within the
pool (HTTPClient doesn't seem to handle this well). So when the Client does
retry with new connections in the pool it continues to fail. What we did
was have a proxy (read this as AWS ELB) terminate connections after
60seconds (this is the default behaviour of AWS ELB's) using FIN packets.
This cleaner connection destruction is handled better by apache HTTPClient.
Another possible (but bad) solution is the change the connection pooling to
1 using keycloak adapter settings as when the retry happens a new
connection will be made instead of using another bad connection in the
pool. I hope this description will save someone weeks of time that it took
for us to discover and resolve the issue.

A good feature request here might have been to allow users to configure a
connection timeout for the keycloak adapter. This feature is supported by
HTTPClient but is not exposed by the adapter. Should be easy to add support
for this.

On Mon, Nov 28, 2016 at 4:50 PM, Jesse Chahal <jessec at stytch.com> wrote:

> We have been able to reproduce this problem using a single user where we
> dedicated 2 wildfly app servers and 1 keycloak server purely to test this
> out. We have also been able to reproduce this when trying to use multiple
> users as well (but I think the single user scenario is more important). I
> believe it may somehow router/network related but I have yet to find a way
> to prove it. I don't believe there are any docker network related
> limitations in regards to connections. Before this switch we have been
> running keycloak in production for awhile as well as the app servers (on
> full VM's instead of docker). It is unlikely that the problem exists in any
> of our app servers configuration since the configuration is 99% the same.
> In the new setup wildfly app servers live in docker (which are based off of
> the official jboss wildfly docker images).
>
>
> Jesse
>
> On Fri, Nov 25, 2016 at 1:01 AM, Marek Posolda <mposolda at redhat.com>
> wrote:
>
>> Does this happen just if more users tries to login concurrently? It seems
>> there is some limit somewhere for the number of maximum connections. Maybe
>> it will help to increase maximum number of threads at the undertow
>> subsystem on Keycloak side, or maybe at the AWS ELB load balancer side? Or
>> maybe there is even some limit at the docker level?
>>
>> AFAIK The Apache HTTP Client (which is used by our adapters under the
>> hood for exchange code to token) has some retry strategy enabled by
>> default. AFAIK we don't allow to tweak this, but it's likely 1 or 2 retries
>> for each HTTP failed request AFAIK. However this should be rather tweaked
>> by increasing the pool of connections for your server. Relying on Apache
>> HTTP client retryies doesn't look like good solution IMO.
>>
>> Marek
>>
>>
>> On 25/11/16 01:48, Jesse Chahal wrote:
>>
>>> We very recently started working on moving our web/app servers to AWS ECS
>>> (docker). We have been using docker locally for a very long time without
>>> issues.
>>> During this transition we started seeing intermittent login failures
>>> through the normal confidential browser redirect flow (not using
>>> implicit).
>>> It inconsistently fails during the process of turning an authorization
>>> code
>>> into a bearer+refresh_token. The exception is always the same as well. I
>>> have done
>>> tcpdumps packet analysis for things such as RST packets but have not seen
>>> anything that would result in this issue. I have confirmed that the
>>> adapter
>>> does
>>> have the authorization code (although I don't know how to validate it). I
>>> have confirmed that the the date+times are synchronized in both the auth
>>> server
>>> and the app server (therefore no weird expiration issues).
>>> I have posted a stacktrace from the adapter incase anyone else has seen
>>> this issue before. I'm hoping at the very least that maybe we could add a
>>> retry
>>> mechanism to the adapter if a Connection reset issues occurs if no other
>>> solutions present themselves.
>>>
>>> Current network setup:
>>> Keycloak.2.1.0.Final on Centos6 EC2/VM --> AWS ELB load balancer -->
>>> internet -->
>>>
>>>       ?
>>>   <---------------------------------------------------------------------
>>> -----------
>>> ?
>>> AWS NAT Gateway --> AWS ELB load balancer --> Amazon Linux ECS EC2/VM -->
>>> Wildfly10 docker container + keycloak 2.1.0-wildfly-adapter
>>>
>>>
>>> ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default
>>> task-13) [
>>>   ] failed to turn code into token: java.net.SocketException: Connection
>>> reset
>>>          at java.net.SocketInputStream.read(SocketInputStream.java:209)
>>> [rt.jar:1.8.0_111]
>>>          at java.net.SocketInputStream.read(SocketInputStream.java:141)
>>> [rt.jar:1.8.0_111]
>>>          at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
>>> [jsse.jar:1.8.0_111]
>>>          at sun.security.ssl.InputRecord.read(InputRecord.java:503)
>>> [jsse.jar:1.8.0_111]
>>>          at
>>> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
>>> [jsse.jar:1.8.0_111]
>>>          at
>>> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:930)
>>> [jsse.jar:1.8.0_111]
>>>          at sun.security.ssl.AppInputStream.read(AppInputStream.java:105
>>> )
>>> [jsse.jar:1.8.0_111]
>>>          at
>>> org.apache.http.impl.io.AbstractSessionInputBuffer.fillBuffe
>>> r(AbstractSessionInputBuffer.java:160)
>>>          at
>>> org.apache.http.impl.io.SocketInputBuffer.fillBuffer(SocketI
>>> nputBuffer.java:84)
>>>          at
>>> org.apache.http.impl.io.AbstractSessionInputBuffer.readLine(
>>> AbstractSessionInputBuffer.java:273)
>>>          at
>>> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHea
>>> d(DefaultHttpResponseParser.java:140)
>>>          at
>>> org.apache.http.impl.conn.DefaultHttpResponseParser.parseHea
>>> d(DefaultHttpResponseParser.java:57)
>>>          at
>>> org.apache.http.impl.io.AbstractMessageParser.parse(Abstract
>>> MessageParser.java:261)
>>>          at
>>> org.apache.http.impl.AbstractHttpClientConnection.receiveRes
>>> ponseHeader(AbstractHttpClientConnection.java:283)
>>>          at
>>> org.apache.http.impl.conn.DefaultClientConnection.receiveRes
>>> ponseHeader(DefaultClientConnection.java:251)
>>>          at
>>> org.apache.http.impl.conn.AbstractClientConnAdapter.receiveR
>>> esponseHeader(AbstractClientConnAdapter.java:223)
>>>          at
>>> org.apache.http.protocol.HttpRequestExecutor.doReceiveRespon
>>> se(HttpRequestExecutor.java:272)
>>>          at
>>> org.apache.http.protocol.HttpRequestExecutor.execute(HttpReq
>>> uestExecutor.java:124)
>>>          at
>>> org.apache.http.impl.client.DefaultRequestDirector.tryExecut
>>> e(DefaultRequestDirector.java:685)
>>>          at
>>> org.apache.http.impl.client.DefaultRequestDirector.execute(D
>>> efaultRequestDirector.java:487)
>>>          at
>>> org.apache.http.impl.client.AbstractHttpClient.doExecute(Abs
>>> tractHttpClient.java:882)
>>>          at
>>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:82)
>>>          at
>>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:107)
>>>          at
>>> org.apache.http.impl.client.CloseableHttpClient.execute(Clos
>>> eableHttpClient.java:55)
>>>          at
>>> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(
>>> ServerRequest.java:107)
>>>          at
>>> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(
>>> OAuthRequestAuthenticator.java:327)
>>>          at
>>> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate
>>> (OAuthRequestAuthenticator.java:273)
>>>          at
>>> org.keycloak.adapters.RequestAuthenticator.authenticate(Requ
>>> estAuthenticator.java:130)
>>>          at
>>> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthM
>>> ech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
>>>          at
>>> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authe
>>> nticate(ServletKeycloakAuthMech.java:92)
>>>          at
>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:233)
>>>          at
>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> transition(SecurityContextImpl.java:250)
>>>          at
>>> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.
>>> access$100(SecurityContextImpl.java:219)
>>>          at
>>> io.undertow.security.impl.SecurityContextImpl.attemptAuthent
>>> ication(SecurityContextImpl.java:121)
>>>          at
>>> io.undertow.security.impl.SecurityContextImpl.authTransition
>>> (SecurityContextImpl.java:96)
>>>          at
>>> io.undertow.security.impl.SecurityContextImpl.authenticate(S
>>> ecurityContextImpl.java:89)
>>>          at
>>> io.undertow.servlet.handlers.security.ServletAuthenticationC
>>> allHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
>>>          at
>>> io.undertow.server.handlers.DisableCacheHandler.handleReques
>>> t(DisableCacheHandler.java:33)
>>>          at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>          at
>>> io.undertow.security.handlers.AuthenticationConstraintHandle
>>> r.handleRequest(AuthenticationConstraintHandler.java:51)
>>>          at
>>> io.undertow.security.handlers.AbstractConfidentialityHandler
>>> .handleRequest(AbstractConfidentialityHandler.java:46)
>>>          at
>>> io.undertow.servlet.handlers.security.ServletConfidentiality
>>> ConstraintHandler.handleRequest(ServletConfidentialityConstr
>>> aintHandler.java:64)
>>>          at
>>> io.undertow.servlet.handlers.security.ServletSecurityConstra
>>> intHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
>>>          at
>>> io.undertow.security.handlers.AuthenticationMechanismsHandle
>>> r.handleRequest(AuthenticationMechanismsHandler.java:60)
>>>          at
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSes
>>> sionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>>          at
>>> io.undertow.security.handlers.NotificationReceiverHandler.ha
>>> ndleRequest(NotificationReceiverHandler.java:50)
>>>          at
>>> io.undertow.security.handlers.AbstractSecurityContextAssocia
>>> tionHandler.handleRequest(AbstractSecurityContextAssociation
>>> Handler.java:43)
>>>          at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>          at
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHa
>>> ndler.handleRequest(JACCContextIdHandler.java:61)
>>>          at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>          at
>>> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.
>>> handleRequest(ServletPreAuthActionsHandler.java:69)
>>>          at
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(P
>>> redicateHandler.java:43)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFir
>>> stRequest(ServletInitialHandler.java:284)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletInitialHandler.java:263)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialHandler.java:81)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletInitialHandler.java:174)
>>>          at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>          at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>          at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:1142)
>>> [rt.jar:1.8.0_111]
>>>          at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:617)
>>> [rt.jar:1.8.0_111]
>>>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>>>
>>> 2016-11-24 22:37:14,255 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>>> task-13)
>>> [  ] UserIdentityServiceImpl:findByEmail took 484 ms
>>> 2016-11-24 22:37:14,256 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>>> task-13)
>>> [  ] AccountSrvImpl:isCurrentAccountUnknown took 499 ms
>>> 2016-11-24 22:37:14,257 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>>> task-13)
>>> [  ] BrandedVariableLookupSrvImpl:cacheKey took 500 ms
>>> 2016-11-24 22:37:14,959 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>>> task-13)
>>> [  ] UserIdentityServiceImpl:findByEmail took 697 ms
>>> 2016-11-24 22:37:14,960 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>>> task-13)
>>> [  ] AccountSrvImpl:isCurrentAccountUnknown took 701 ms
>>> 2016-11-24 22:37:14,962 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor] (default
>>> task-13)
>>> [  ] BrandedVariableLookupSrvImpl:getVariables took 703 ms
>>> 2016-11-24 22:37:15,095 INFO
>>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>>> task-14) [  ] Setting clientId [gwt_43cpg2jpm5oklfjkuue204jsmh] for
>>> session
>>> [qAYdgQ6PytsZ8kG5ah6mxEdmGeNPQpgT_2ExqU6A] created [1480026525644]
>>> 2016-11-24 22:37:15,096 INFO
>>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>>> task-14) [  ] clientRequestId via atomic integer =
>>> [gwt_43cpg2jpm5oklfjkuue204jsmh_0]
>>> 2016-11-24 22:37:15,138 INFO
>>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>>> task-15) [  ] clientRequestId via atomic integer =
>>> [gwt_43cpg2jpm5oklfjkuue204jsmh_1]
>>> 2016-11-24 22:37:15,224 INFO
>>>   [com.indicee.service.servlet.filter.ClientRequestIdFilter] (default
>>> task-12) [  ] clientRequestId via atomic integer =
>>> [gwt_43cpg2jpm5oklfjkuue204jsmh_2]
>>> 2016-11-24 22:37:15,635 WARN
>>>   [com.indicee.service.authorization.EjbTimerInterceptor]
>>> (dInitialHandler.java:284)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchR
>>> equest(ServletIni
>>> tialHandler.java:263)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$00
>>> 0(ServletInitialH
>>> andler.java:81)
>>>          at
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleR
>>> equest(ServletIni
>>> tialHandler.java:174)
>>>          at
>>> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
>>>          at
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
>>>          at
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>>> Executor.java:114
>>> 2) [rt.jar:1.8.0_111]
>>>          at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>>> lExecutor.java:61
>>> 7) [rt.jar:1.8.0_111]
>>>          at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_111]
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>>
>

From bburke at redhat.com  Tue Nov 29 20:12:53 2016
From: bburke at redhat.com (Bill Burke)
Date: Tue, 29 Nov 2016 20:12:53 -0500
Subject: [keycloak-user] Does refreshing the token extend the session?
In-Reply-To: <2D96A84A-E0D9-4945-A098-5D56D3D1CDFD@edlogics.com>
References: <2D96A84A-E0D9-4945-A098-5D56D3D1CDFD@edlogics.com>
Message-ID: <b4f44e79-1baa-960f-be6a-4f0121586a61@redhat.com>

There is an idle timeout and a max session lifespan and an access token 
timeout.  I don't think we check the max session lifespan when 
generating a token, so an access token might be active for access token 
timeout + max session lifespan.


On 11/29/16 6:36 PM, Chris Stephens wrote:
> We have an angular app and are using the keycloak js adapter. We refresh the token if it expires within 5 seconds. We also refresh the token every 15 minutes. Our users can jump in and out of our angular app. When they come back in the initialization logic goes to the key cloak server to make sure they are logged in. What our QA team is telling us is after 2-3 hours of clicking on the site the user is no longer logged in, but some of the calls with bearer tokens still go through. We need to know if refreshing the token or doing the 'check-sso' extends the session.
>
>
> Christopher Stephens
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From amaeztu at tesicnor.com  Tue Nov 29 14:44:16 2016
From: amaeztu at tesicnor.com (Amaeztu)
Date: Tue, 29 Nov 2016 20:44:16 +0100
Subject: [keycloak-user] How to stop the keycloak server from standalone
 sh
In-Reply-To: <583DC254.7050303@redhat.com>
References: <608772ee-ef7a-d363-523f-831ca305e905@tesicnor.com>
	<583DC254.7050303@redhat.com>
Message-ID: <8n3uajkjh8hh2feqo6b2rn4h.1480448567185@email.android.com>

For the first reply, i could give it a try through the standalone.xml file (I can externalize it from the docker container and edit it).

For the second, yes, that's the command I'm actually trying to execute but with the issue that I don't know how to stop the server through the container. 

Nire Sony Xperia? telefonotik bidalita

---- Stan Silvert igorleak idatzi du ----

>If I understand correctly, you are asking if there is a way to trigger 
>the export when you don't have access to the command line?
>
>You want to do something like this?
>
>|bin/standalone.sh -Dkeycloak.migration.action=export
>-Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT TO>
>
>|
>
>|It is possible to set system properties like those above from 
>standalone.xml. If you don't have direct access to edit standalone.xml, 
>you can set them with the WildFly admin console or connect with jboss-cli.|
>||
>|Then |reboot the server and the export should happen.  I say "should" 
>because I've never actually tried it.
>||
>
>On 11/29/2016 11:25 AM, Aritz Maeztu wrote:
>> Hello,
>>
>> I'm running a keycloak instance from a docker image, so when I start the
>> container everything is up an running. Now I want to export the realms
>> and users to deploy it in production and I've got two chances:
>>
>> 1- Copy the values from the mysql database (I'm using the keycloak-mysql
>> image).
>>
>> 2- Run the standalone.sh export command.
>>
>> I would like to go the second way, but I'm into trouble since the
>> widlfly server is launched with the docker container altogether. I can
>> browse in to it for the standalone.sh script, but still haven't found a
>> way to stop it (as the server is launched I get a "Address already in
>> use" error when I try to perform the export while the server is running).
>>
>> Any ideas? Thanks in advance
>>
>>
>>
>
>_______________________________________________
>keycloak-user mailing list
>keycloak-user at lists.jboss.org
>https://lists.jboss.org/mailman/listinfo/keycloak-user

From ssilvert at redhat.com  Wed Nov 30 07:38:34 2016
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 30 Nov 2016 07:38:34 -0500
Subject: [keycloak-user] How to stop the keycloak server from standalone
 sh
In-Reply-To: <8n3uajkjh8hh2feqo6b2rn4h.1480448567185@email.android.com>
References: <608772ee-ef7a-d363-523f-831ca305e905@tesicnor.com>
	<583DC254.7050303@redhat.com>
	<8n3uajkjh8hh2feqo6b2rn4h.1480448567185@email.android.com>
Message-ID: <583EC84A.4040004@redhat.com>

There is a jboss-cli command for restarting the server.

/:reload

Or, you can try this one:

/:shutdown(restart=true,timeout=0)


On 11/29/2016 2:44 PM, Amaeztu wrote:
> For the first reply, i could give it a try through the standalone.xml file (I can externalize it from the docker container and edit it).
>
> For the second, yes, that's the command I'm actually trying to execute but with the issue that I don't know how to stop the server through the container.
>
> Nire Sony Xperia? telefonotik bidalita
>
> ---- Stan Silvert igorleak idatzi du ----
>
>> If I understand correctly, you are asking if there is a way to trigger
>> the export when you don't have access to the command line?
>>
>> You want to do something like this?
>>
>> |bin/standalone.sh -Dkeycloak.migration.action=export
>> -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=<FILE TO EXPORT TO>
>>
>> |
>>
>> |It is possible to set system properties like those above from
>> standalone.xml. If you don't have direct access to edit standalone.xml,
>> you can set them with the WildFly admin console or connect with jboss-cli.|
>> ||
>> |Then |reboot the server and the export should happen.  I say "should"
>> because I've never actually tried it.
>> ||
>>
>> On 11/29/2016 11:25 AM, Aritz Maeztu wrote:
>>> Hello,
>>>
>>> I'm running a keycloak instance from a docker image, so when I start the
>>> container everything is up an running. Now I want to export the realms
>>> and users to deploy it in production and I've got two chances:
>>>
>>> 1- Copy the values from the mysql database (I'm using the keycloak-mysql
>>> image).
>>>
>>> 2- Run the standalone.sh export command.
>>>
>>> I would like to go the second way, but I'm into trouble since the
>>> widlfly server is launched with the docker container altogether. I can
>>> browse in to it for the standalone.sh script, but still haven't found a
>>> way to stop it (as the server is launched I get a "Address already in
>>> use" error when I try to perform the export while the server is running).
>>>
>>> Any ideas? Thanks in advance
>>>
>>>
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From celso.agra at gmail.com  Wed Nov 30 11:28:42 2016
From: celso.agra at gmail.com (Celso Agra)
Date: Wed, 30 Nov 2016 13:28:42 -0300
Subject: [keycloak-user] Creating an user by rest api
Message-ID: <CAOFYJDv_ZmZ52gKsthu6ApfFvDOfo4kukxgQAKG0k70kqjiAcw@mail.gmail.com>

Hi all,

I'm configuring keycloak to perform some actions with rest api. I'm trying
to create an user using the register action (like register page), but when
I call the rest api:

curl -H "Accept: application/json" -H "Content-Type:application/json" -X
> POST -d "{'username' : 'bburke', 'enabled': true, 'email' : '
> bburke at redhat.com', 'firstName': 'Bill', 'lastName': 'Burke',
> 'credentials' : [{ 'type' : 'password', 'value' : 'password' } ],
> 'realmRoles': [ 'user', 'offline_access'  ], 'clientRoles': {'account': [
> 'manage-account' ] } }"
> http://localhost:8080/admin/realms/servlet-authz/users


I got an 404 error. Would be possible to create an user just using the rest
API?

Thank you.

best regards,

Celso Agra.

From to.petrovski at gmail.com  Wed Nov 30 11:29:22 2016
From: to.petrovski at gmail.com (Nikolay Petrovski)
Date: Wed, 30 Nov 2016 18:29:22 +0200
Subject: [keycloak-user] Custom UserStorage module issue
Message-ID: <CAKRr-7YwkCDK=bFvS6wXGhXJ_L_mMKS8_adKPecDxPt3fsv_DA@mail.gmail.com>

Hi,

I have the following problem - trying to create a custom *UserStorageProvider
*over my new installation of *Keycloak 2.4.0.Final.* The Kc instance is
configured to work with MongoDB local storage, and I want to attach another
external user storage.

Everything in my custom module seems to work fine, until it gets to :

...

@Override
public UserModel addUser(final RealmModel realm, String username) {
        // Add local storage user
        UserModel user = session.userLocalStorage().addUser(realm,
username);
        user.setFederationLink(model.getId());

        return proxy(realm, user, remoteUser);
}
...


That *proxy *method extends with several UserModelDelegate(s), one of them
is a KeycloakTransaction-driven model delegate, which should does external
storage user creation on commit() action.

Pretty much the same code as the LDAP UserStoreProvider.

The problem comes when I try to register new user and a *commit()* is
called (KeycloakTransaction is closed) only "email" and "custom attribute"
properties are filled (setEmail() and setAttribute() are called) within my
delegated object. The user I am trying to create in my external source has
only "Email" and "Phone (as a custom attribute)" values populated after
registration process.

Any idea if I miss something? Or, any other way I can get the whole
UserModel populated while register new user in Keycloak, so then I can send
it over to my external user storage?

From glavoie at gmail.com  Wed Nov 30 11:33:45 2016
From: glavoie at gmail.com (Gabriel Lavoie)
Date: Wed, 30 Nov 2016 11:33:45 -0500
Subject: [keycloak-user] Keycloak behind 2 Nginx reverse proxies (HTTPS
	-> HTTP)
In-Reply-To: <CAFZbuCO+bHyzkKH3F3dvYDeSJTRWQ6j1Nj9CRXSfvirPUWdURw@mail.gmail.com>
References: <CAFZbuCO+bHyzkKH3F3dvYDeSJTRWQ6j1Nj9CRXSfvirPUWdURw@mail.gmail.com>
Message-ID: <CAKp1Nw5dHrcqdKuOCnSN-xQSWSTSEHC0FZjV8p8hKqY05Zz7UA@mail.gmail.com>

Hi Andrew,
     The answer is "it depends". When generating tokens or metadata,
Keycloak uses the scheme://hostname:port/ that was used to access it to
fill the different issuers/URLs. The same values must match in the client
JSON file so the client can validate the source of the token.

At the client level, this could be handled by having a custom translation
step over the configuration that accept both schemes and match it to the
issuer, not something that Keycloak seems to support natively last time I
checked.

Doing SSO through multiple aliases always has this sort of issues. This is
usually something that should be avoided. Can you keep Keycloak HTTPs and
your application HTTP in your internal network?

Gabriel

2016-11-25 8:08 GMT-05:00 Andrey Saroul <andrey.saroul at gmail.com>:

> We have an idea to isolate our application in our internal network so that
> all communication in that network can go by HTTP.
> So we've set up a public nginx server, witch is responsible for
> establishing https connections.
> Public nginx server forwards requests to another nginx server in secured
> internal network, witch is in turn accesses Keycloak and WildFly by HTTP.
> But this configuration is not working because of invalid redirect issue.
> In our client's json file we have to define auth-server-url with HTTPS
> scheme. When we try to specify HTTP Keycloak no longer works.
> So my question: is it possible to make things work by HTTP in internal
> private network and HTTPS only remain for public access.
> Any guidance will be appreciated.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Gabriel Lavoie
glavoie at gmail.com

From byteflinger at gmail.com  Wed Nov 30 12:30:08 2016
From: byteflinger at gmail.com (Byte Flinger)
Date: Wed, 30 Nov 2016 18:30:08 +0100
Subject: [keycloak-user] How to set account management as welcome page
Message-ID: <CAELTqdrUmPBXqksQ3gYGuCRdE_UKEPrERd9=xdOthrdHZR-n6w@mail.gmail.com>

It seems one is expected to put in place some sort of welcome page in
keycloak, the one that is under /auth (Which by default has an admin page
link and few others to the keycloak website).

I'd be pretty happy to just setting the account management page as the
default landing welcome page and letting admins go to the admin page
directly if they want to. Is there any way of doing that, making the app
redirect to the account management page if you go to the keycloak app root
address without having a 2 step process where the user first goes to a
welcome page and then clicks a link from there to the account management
page?

From bburke at redhat.com  Wed Nov 30 12:55:50 2016
From: bburke at redhat.com (Bill Burke)
Date: Wed, 30 Nov 2016 12:55:50 -0500
Subject: [keycloak-user] Custom UserStorage module issue
In-Reply-To: <CAKRr-7YwkCDK=bFvS6wXGhXJ_L_mMKS8_adKPecDxPt3fsv_DA@mail.gmail.com>
References: <CAKRr-7YwkCDK=bFvS6wXGhXJ_L_mMKS8_adKPecDxPt3fsv_DA@mail.gmail.com>
Message-ID: <573407ae-598d-38e6-541e-7dd92d652311@redhat.com>

I think I may know what the problem is.  The registration page is split 
into multiple different processors.  The user is created in one 
processor and the flow context is set to the user.  The problem is, then 
context stores the user as an id and every time a processor needs the 
user it does a lookup by id.  So, what I think is happening in your 
situation is that you are creating multiple different proxy objects in 
the same transaction and your transaction commit logic is confused by this.

I  don't think the Keycloak runtime can keep track of UserModels loaded 
in the transaction and bypass invoking the UserStorageProvider methods.  
Why?  Mainly because of bulk query methods....  So, you'll have to keep 
track of the proxies you create in your provider.  Hopefully that makes 
sense.

On 11/30/16 11:29 AM, Nikolay Petrovski wrote:
> Hi,
>
> I have the following problem - trying to create a custom *UserStorageProvider
> *over my new installation of *Keycloak 2.4.0.Final.* The Kc instance is
> configured to work with MongoDB local storage, and I want to attach another
> external user storage.
>
> Everything in my custom module seems to work fine, until it gets to :
>
> ...
>
> @Override
> public UserModel addUser(final RealmModel realm, String username) {
>          // Add local storage user
>          UserModel user = session.userLocalStorage().addUser(realm,
> username);
>          user.setFederationLink(model.getId());
>
>          return proxy(realm, user, remoteUser);
> }
> ...
>
>
> That *proxy *method extends with several UserModelDelegate(s), one of them
> is a KeycloakTransaction-driven model delegate, which should does external
> storage user creation on commit() action.
>
> Pretty much the same code as the LDAP UserStoreProvider.
>
> The problem comes when I try to register new user and a *commit()* is
> called (KeycloakTransaction is closed) only "email" and "custom attribute"
> properties are filled (setEmail() and setAttribute() are called) within my
> delegated object. The user I am trying to create in my external source has
> only "Email" and "Phone (as a custom attribute)" values populated after
> registration process.
>
> Any idea if I miss something? Or, any other way I can get the whole
> UserModel populated while register new user in Keycloak, so then I can send
> it over to my external user storage?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user